WatchGuard Account SSO Integration with Microsoft Entra ID
This document describes how to set up multi-factor authentication (MFA) for your WatchGuard accounts with Microsoft Entra ID as an identity provider.
Contents
WatchGuard Account Authentication Data Flow with Microsoft Entra ID
Microsoft Entra ID communicates with various cloud-based services and service providers with the SAML protocol. This diagram shows the data flow of an MFA transaction for WatchGuard Cloud.
Before You Begin
Before you begin these procedures, make sure that:
- You have a Microsoft Azure global administrator account within the Microsoft Entra ID tenant.
- You have a tier-1 WatchGuard Cloud account, and an operator with the Owner or Administrator role.
Additional charges might apply to use Microsoft Entra ID.
Configure Microsoft Entra ID
Before you configure Microsoft Entra ID, you must save the WatchGuard Service Provider SAML metadata file.
To save the WatchGuard Service Provider SAML metadata file:
- Log in to WatchGuard Cloud with your WatchGuard user account credentials.
- Select Administration > SSO.
The SAML SSO page opens.
- Click Configure SAML SSO.
The Important dialog box opens.
- Click Continue.
The WatchGuard Account SSO Configuration Wizard page opens.
- From the WatchGuard Service Provider SAML Metadata text box, copy the WatchGuard Service Provider SAML Metadata URL.
- On a new tab on your web browser, enter the WatchGuard Service Provider SAML Metadata URL you copied in the previous step.
- To save the WatchGuard Service Provider SAML metadata file to your system, right-click on the page, then select Save As.
To complete the configuration, keep the WatchGuard Account SSO Configuration Wizard page open. After you configure the Microsoft Entra ID, you must configure the settings on this page.
To configure Microsoft Entra ID:
- Log in to the Entra ID portal with your Microsoft Azure account credentials.
- Search for and select Microsoft Entra ID.
- To add a Microsoft Entra ID user, select Manage > Users > All users > + New User.
- Select Create New User. Make sure your user email address matches the UPN value of the user.
The Create New User page opens.
- Click Create.
- On the Microsoft Entra ID page, select Manage > Enterprise Applications.
- Select Manage > All Applications > New Application.
- Click Create Your Own Application.
The Create Your Own Application page opens.
- In the What's the Name of Your App? text box, type a name.
- Select Integrate Any Other Application You Don't Find in the Gallery (Non-Gallery).
- Click Create.
- Select Manage > Single Sign-On.
The Single Sign-On page opens.
- From the Select a Single Sign-On Method section, select SAML.
The SAML-Based Sign-On page opens. - Click Upload Metadata File.
The Upload Metadata File dialog box opens.
- Browse and select the WatchGuard Service Provider SAML metadata file you saved in the previous section.
- Click Add.
- Click Save.
- To close the Basic SAML Configuration page, click .
The Test Single Sign-On With <your application> dialog box opens. - Click No, I'll Test Later.
The Set Up Single Sign-on with SAML page opens.
- From the SAML Certificates section, next to Federation Metadata XML, click Download.
- From the navigation menu, select Manage > Users and Groups.
The Users and Groups page opens.
- Click + Add User/Group.
- Click None Selected, then select the user you created.
- Click Select.
- Click Assign.
- To enable the Microsoft Entra ID multi-factor authentication, from the navigation menu, select Security > Conditional Access.
- Select + New Policy.
The New Conditional Access page opens.
- In the Name text box, type a policy name.
- From the Assignments section, for Users or Workload Identities, click 0 Users or Workload Identities Selected.
- From the What does this policy apply to? drop-down list, select Users and Groups.
The options to include or exclude the users and groups show. - From the Include tab, select Select Users and Groups.
- Select the Users and Groups check box.
- From the Select section, click 0 Users and Groups Selected.
- Search and select the user or group, then click Select.
- Under the Access Controls section, for Grant, click 0 Controls Selected.
The options panel to block or grant access opens.
- Select Grant Access.
- Select the Require Multifactor Authentication check box.
- For For Multiple Controls, select Require All the Selected Controls.
- Click Select.
- For Enable Policy, select On.
- Keep the default values for other settings.
- Click Create.
Configure SSO for Your WatchGuard Account
To configure SSO for your WatchGuard account:
- From the WatchGuard Account SSO Configuration Wizard page you open in Configure Microsoft Entra ID, click Select a Metadata File.
- Upload the Microsoft Entra ID metadata file you downloaded in this section.
- Click Next.
The SAML Configuration options open.
- In the IDP Name text box, type a name to identify your identity provider. In our example, we name the IDP microsoft_entra_id.
- Keep the default values for other settings.
- To open the SSO Reference URLs page, click Next three times.
The SSO Reference URLs page opens.The SSO reference URLs provide you with the direct links to the SSO login page for each account.
- Click Save.
- From the top of the page, click Back to WatchGuard Cloud.
- Select > My Account.
- Select SSO. Make sure the Enable SAML SSO toggle status is green.
- To add the operators in WatchGuard Cloud, follow the steps in Add Operators to Your Account.
To log in with SSO, you must have a WatchGuard Cloud operator account and an Azure user account. Both user accounts must have the same email address. After you add the operator, make sure the Enable Login With SAML SSO check box is selected.
When you configure SAML SSO for your WatchGuard account, users can either log in with SSO or with their local user account. We recommend users log in with SSO so they do not have to re-authenticate after their initial login.
Test the Integration
To test Microsoft Entra MFA with your WatchGuard Account, you can choose any method (Microsoft Authenticator number matching, Microsoft Authenticator code, SMS code, or Phone call).
Microsoft Authenticator number matching is enabled for all authenticator push notifications. In this example, we show the Microsoft Authenticator number matching method.
- In a web browser, go to WatchGuard Cloud.
- Click Log In With SSO.
- In the IDP Name text box, type the IDP name.
- Click Log In.
- In the Sign In text box, type your email.
- Click Next.
- In the Enter Password text box, type your password.
- Click Sign In.
The Approve sign in request page opens. - To complete the approval. enter the number you see in your authenticator app.
- Click Yes.
You are logged in to WatchGuard Cloud.