Add an Authentication Domain to a Firebox

Applies To: Cloud-managed Fireboxes

You can add an authentication domain to the Firebox so that you can specify users and groups from your authentication server in firewall policies, aliases, and mobile VPN settings.

Before you can add an Active Directory or RADIUS authentication domain to the Firebox you must add it to your WatchGuard Cloud account Shared Configurations settings. For more information, go to WatchGuard Cloud Authentication Domains.

Add a WatchGuard Cloud Authentication Domain

To add an authentication domain to the Firebox configuration:

  1. Select Configure > Devices.
  2. Select a Firebox.
    Status and settings for the selected Firebox appear.
  3. Select Device Configuration.
  4. Click the Authentication Domains tile.
    The Authentication Domains page opens.

Screen shot of the Authentication Domains page

  1. Click Add Authentication Domain.
    The Add Authentication Domain page opens.
  2. Select WatchGuard Cloud Directory.
    The Add Authentication Domain page opens.

Screen shot of the Add Authentication Domain page

  1. From the Select an Existing Authentication Domain drop-down list, select the authentication domain.

To add a new Authentication Domain to your WatchGuard Cloud account, or to edit the domain server settings, go to the Configure > Authentication Domains page. For more information, go to WatchGuard Cloud Authentication Domains.

  1. From the Type drop-down list, select the authentication server type.
  2. From the Primary Server drop-down list, select the primary server address to use for authentication.
  3. From the Backup Server drop-down list, select the backup server.
  4. Click Save.

Add a SAML Authentication Domain

You can use a Security Assertion Markup Language (SAML) authentication domain to authenticate users with your cloud-managed Firebox. With SAML, you can exchange data between an identity provider (IdP) and a service provider (SP).

When you can add a SAML authentication domain to the Firebox to authenticate users, you do not add it to your WatchGuard Cloud account Shared Configurations settings. In the SAML configuration on the Firebox, you configure the Firebox as the SP and a third-party service as the IdP.

Your IdP must meet the WatchGuard requirements for SAML 2.0 communication. For more information about SAML requirements, go to SAML Requirements for Identity Providers.

SAML authentication requires Fireware v12.11 or higher and is disabled by default.

You can use SAML to authenticate with:

  • Authentication Portal
  • Mobile VPN with SSL

Fireware v12.11 expands support for SAML authentication and now includes Firebox authentication. The Mobile VPN with SSL v12.11 client for Windows supports SAML authentication. Because SAML authentication for Mobile VPN with SSL requires a client update that supports integration with an embedded web browser that can interact with an IdP, lower versions of the Mobile VPN with SSL for Windows client, all versions of the Mobile VPN with SSL for macOS client, and third-party OpenVPN clients are not supported.

When you configure a SAML authentication user or group in a firewall policy but then enable SAML authentication for Mobile VPN with SSL or Authentication Portal, or when you configure a SAML authentication user or group in a firewall policy and Mobile VPN with SSL or Authentication Portal but later disable SAML authentication for Mobile VPN with SSL or Authentication Portal, the SP metadata changes and SAML authentication no longer works. You must provide the updated SP metadata to your IdP administrator.

To add a SAML authentication domain to a cloud-managed Firebox configuration, from WatchGuard Cloud:

  1. Select Configure > Devices.
  2. Select a cloud-managed Firebox.
    Status and settings for the selected Firebox appear.
  3. Select Device Configuration.
  4. Click the Authentication > Domains tile.
    The Authentication Domains page opens.

Screen shot of the Authentication Domains page

  1. Click Add Authentication Domain.
  2. Select SAML Identity Provider.
    The SAML Service Provider (SP) Settings page opens.

Screen shot of the Add Authentication Domain page

  1. In the IdP Name text box, type the name of your IdP.
    This name appears on the login pages of the Firebox as the authentication server name.
  2. In the Host Name text box, type an FQDN that resolves to the Firebox external interface.
  3. Keep the IdP Metadata URL text box blank for now. You must complete the steps in the next section before you can get the IdP Metadata URL from your IdP administrator.

The Group Attribute Name text box defaults to memberOf. If your IdP administrator uses a different name, you can type that name.

  1. Click Save.
    WatchGuard Cloud generates authentication domain URLs and certificate information.

Screenshot of SAML configuration dialog box.

After you save the SAML configuration, WatchGuard Cloud automatically generates a page that includes additional SAML configuration and certificate information. You must give this information to your IdP administrator. The administrator can then configure the account settings for your company on the IdP website.

The Fireware SAML Client certificate that WatchGuard Cloud creates shows in Device Certificates for your cloud-managed device. For more information, go to About Device Certificates.

Follow the instructions for either Option 1 or 2.

You must deploy the SAML configuration to the cloud-managed Firebox before your IdP can use the Metadata URL.

Option 1 — Automatic Configuration

If your IdP accepts SAML metadata from SPs, give the Metadata URL in the Option 1 section to your IdP Administrator.

Option 2 — Manual Configuration

If your IdP does not accept SAML metadata from SPs, give the URLs and certificate in the Option 2 section to your IdP Administrator.

Configure the SAML Identity Provider Settings

You must now return to the SAML configuration and complete the configuration with the information that your IdP provides.

To complete the SAML configuration, from WatchGuard Cloud:

  1. Select Configure > Devices.
  2. Select a Firebox.
    Status and settings for the selected Firebox appear.
  3. Select Device Configuration.
  4. Click the Authentication Domains tile.
    The Authentication Domains page opens.
  5. Select a SAML domain.
    The SAML configuration information opens.
  6. In the IdP Metadata URL text box, type the metadata URL provided by your IdP.
  7. (Optional) To change the Group Attribute Name, type the new Group Attribute Name. Tip!

  1. Click Save.
  2. Deploy changes.

Edit a SAML Service Provider Authentication Domain

When you edit a SAML configuration, you must regenerate the SAML configuration information that you give to your IdP administrator.

To update a SAML configuration, from WatchGuard Cloud:

  1. Select Configure > Devices.
  2. Select a Firebox.
    Status and settings for the selected Firebox appear.
  3. Select Device Configuration.
  4. Click the Authentication Domains tile.
    The Authentication Domains page opens.

Screen shot of the Authentication Domains page

  1. Select a SAML domain.
    The SAML settings page opens.

Screenshot of SAML configuration dialog box.

  1. Make any necessary changes.

When you save edits to the Host Name in the SAML settings, the information in Option 1 and 2 updates to show the changes.

  1. Click Regenerate Certificate.
  2. Click Save.
  3. Follow the instructions for either Option 1 or 2.

Authentication Domain Users and Groups

To authenticate, users can connect to the Firebox authentication page, select the domain, and specify their username and password. For information, go to Connect to the Firebox Authentication Portal.

After you add the authentication domain, you can specify domain users and groups in policies and aliases. For more information, go to:

Related Topics

Configure RADIUS Authentication for a Firebox