WatchGuard Account SSO Integration with Auth0

Deployment Overview

This document describes how to set up multi-factor authentication (MFA) for your WatchGuard accounts with Auth0 as an identity provider.

Contents

WatchGuard Account Authentication Data Flow with Auth0

Auth0 communicates with various cloud-based services and service providers with SAML protocol. This diagram shows the data flow of an MFA transaction for WatchGuard Cloud.

Topology diagram

Before You Begin

Before you begin these procedures, make sure that:

  • You have a tier-1 WatchGuard Cloud account, and an operator with the Owner or Administrator role.
  • A token is assigned to a user in Auth0.

Additional charges might apply to use Auth0.

Configure Auth0

Before you configure Auth0, you must copy the WatchGuard Service Provider SAML Metadata URL from the WatchGuard Account SSO Configuration Wizard.

To copy WatchGuard Service Provider SAML Metadata URL:

  1. Log in to the WatchGuard Cloud with your WatchGuard user account credentials.
  2. Select Administrator > SSO.
    The SAML SSO page opens.

Screenshot of WGID, picture1

  1. Click Configure SAML SSO.
    The Important dialog box opens.

Screenshot of WGID, picture2

  1. Click Continue.
    The WatchGuard Account SSO Configuration Wizard page opens.

Screenshot of WGID, picture2

  1. In the WatchGuard Service Provider SAML Metadata text box, copy the WatchGuard Service Provider SAML Metadata URL.
  2. To view the WatchGuard Service Provider SAML Metadata file, on a new tab on your web browser, enter the URL you copied in the previous step.
  3. To save the WatchGuard Service Provider SAML metadata file to your local computer, right-click on the page, then select Save As.

    Keep the WatchGuard Account SSO Configuration Wizard page open. You need to complete the configuration on this page after the Auth0 configuration is complete.

To configure Auth0:

  1. Log in to Auth0 with an administrator account.
  2. Select User Management > Users.

Screenshot of Auth0, picture1

  1. Click + Create User.
    The Create User page opens.

    You must create the same user in WatchGuard Cloud.

Screenshot of Auth0, picture1

  1. In the Email text box, type your email address.
  2. In the Password text box, type a password.
  3. In the Repeat Password text box, type the password again.
  4. Click Create.
    The User page opens.

Screenshot of Auth0, picture2

  1. Select Actions > Send Verification Email.
  2. Click Confirm.
    An activation email message is sent to verify your email address.
  3. Select Applications > Applications.

Screenshot of Auth0, picture2

  1. Click + Create Application.
    The Create Application page opens.

Screenshot of Auth0, picture2

  1. In the Name text box, type a name. In our example, we useWG App.
  2. From the Choose An Application Type section, select Regular Web Applications.
  3. Click Create.
    The Regular Web Application page opens.

Screenshot of Auth0, picture3

  1. Select the Addons tab.
  2. Enable the SAML2 WEB APP option.
    The Addon: SAML2 Web App page opens.

Screenshot of Auth0, picture4

  1. Select the Usage tab.
  2. To download the Auth0 metadata file, from the Identity Provider Metadatasection, click Download.
  3. Select the Settings tab.
    The Settings page opens.

Screenshot of Auth0, picture5

  1. In the Application Callback URL text box, type or paste the value of the AssertionConsumerService Location parameter. You can copy this value from the WatchGuard Service Provider SAML Metadata file you saved in this section.
  2. From the Settings section, uncomment the Audience line and change its value to the entityID value from the WatchGuard Service Provider SAML Metadata file you saved in this section.
  3. Scroll down and uncomment the nameIdentifierFormat line.
  4. Uncomment nameIdentifierProbes.
  5. Uncomment the http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress claims under nameIdentifierProbes.

Screenshot of Auth0, picture5

  1. (Optional ) Click Debug.
    A confirmation message appears after the debug is successful.
  2. Scroll down the page, then click Enable.
  3. To close the page, in the upper right corner, click ×.
  4. To enable Auth0 multi-factor authentication, select Security > Multi-factor Auth.
    The Multi-factor Authentication page opens.

Screenshot of Auth0, picture6

  1. From the Factors section, select Push Notification Using Auth0 Guardian.
    The Push Notification Using Auth0 Guardian page opens.

Screenshot of Auth0, picture6

  1. Select Push Notification using Auth0 Guardian.
  2. Click Back to Multi-factor Authentication.
    The Define Policies page opens.

Screenshot of Auth0, picture6

  1. For Require Multi-factor Auth, select Always.
  2. Click Save.
  3. Click Continue.

Configure SSO for Your WatchGuard Account

To configure SSO for your WatchGuard account:

  1. Go to the WatchGuard Account SSO Configuration Wizard page you opened in the Configure Auth0 section.

Screenshot of WGID, picture3

  1. Click Select a Metadata File, then upload the Auth0 metadata file you downloaded in this section.
  2. Click Next.
    The SAML Configuration options open.

Screenshot of Okta, picture6

  1. In the IDP Name text box, enter a name to identify your identity provider. In our example, we name the IDP Auth0.
  2. Keep the default values for all other settings.
  3. To proceed through the Contact Information, Support Message, pages, click Next.
    The SSO Reference URLs page opens.

    The SSO reference URLs provide you with the direct links to the SSO log in pages for each account.

Screenshot of WGID, picture5

  1. Click Save.
  2. Click Back to WatchGuard Cloud.
  3. Select The screenshot of user icon > My Account.
  4. Select SSO. Make sure the Enable SAML SSO toggle status is green.
  5. To add the operators in WatchGuard Cloud, follow the steps in Add Operators to your Account. After you add an operator, make sure the Enable login with SAML SSO check box is selected.

Screenshot of WGC, add operators

To log in with SSO, you must have a WatchGuard Cloud Operator account and an Auth0 person account. Both accounts must have the same email address.
When you configure SAML SSO for your WatchGuard account, users can either log in with SSO or with their local user account. We recommend users log in with SSO so they do not have to re-authenticate after their initial login.

Test the Integration

To test Auth0 MFA with your WatchGuard Account, you can use push, SMS, email, one-time password, or a combination of different methods, and enable them across all users and applications.

In this example, we show the push notification using the Guardian method.

  1. In a web browser, go to WatchGuard Cloud.
  2. Click Log In With SSO.

Screenshot of WGC, test sso

  1. In the IDP Name text box, type the IDP name.
  2. Click Log In.
  3. In the Email Address text box, type your email address.
  4. In the Password text box, type your password.
  5. Click Continue.
  6. Approve the authentication request sent to your mobile device.
    You are logged in to WatchGuard Cloud.