Certificate Management
Applies To: AuthPoint Multi-Factor Authentication, AuthPoint Total Identity Security
From the Certificate Management page, you can create and manage the AuthPoint certificates used for SAML authentication. The AuthPoint certificate provides your resource (service provider) with the information necessary to identify AuthPoint as a trusted identity provider. This is required for SAML authentication.
You must create at least one AuthPoint certificate before you can add a SAML or RD Web resource. If your account already has one or more certificates, you only have to create a new certificate when you replace an existing certificate.
A certificate may need to be replaced for security measures or when the expiration date is near. An alert is generated in WatchGuard Cloud when the expiration date for a certificate is near.
When a certificate expires, users cannot authenticate to any SAML or RD Web resources that are associated with the expired certificate. You must replace the certificate to continue to authentication to those resources.
Create a New Certificate
You must create at least one AuthPoint certificate before you can add a SAML or RD Web resource. The certificate provides your resource with the information necessary to identify AuthPoint as a trusted identity provider.
To create a new AuthPoint certificate, from the AuthPoint management UI:
- Select Resources.
- Click Certificate.
The Certificate Management page opens.
- Click Add Certificate.
Replace a Certificate
A certificate may need to be replaced for security measures or when the expiration date is near. When a certificate expires, users cannot authenticate to any SAML or RD Web resources that are associated with the expired certificate.
When you replace a certificate that is associated with an RD Web resource, you must download the updated configuration file and install the agent for RD Web again.
To replace a certificate:
- Select Resources.
- Click Certificate.
- Click Add Certificate.
A new certificate is created.
- Identify the SAML resources and RD Web resources that are associated with the certificate that will expire.
When you try to delete a certificate that has resources associated with it, you see an error message that lists all of the associated resources.
- Edit each resource to change the associated certificate from the one that will expire to your newly created certificate. For each resource:
- From the Certificate Management page, click Back to return to the Resources page.
- Click the Name of a SAML resource or RD Web resource that is associated with the certificate that will expire.
- From the AuthPoint Certificate drop-down list, select the new certificate you created.
- Click Save.
- You must provide the updated metadata or configuration file.
- For SAML resources, provide the updated metadata or metadata URL to the service provider of each of your SAML resources. Refer to the AuthPoint Integration Guides for the steps to configure specific SAML resources.
- For RD Web resources, download the updated configuration file for each RD Web resource and install the agent for RD Web again. Refer to Download and Install the Agent for the steps to download the configuration file and install the agent for RD Web.
Once you have replaced the certificate for each of your SAML and RD Web resources and uploaded the new metadata to the service providers, you can delete the expiring certificate.
Get Metadata for a Certificate
From the Certificate Management page, for each certificate you can:
- Download the metadata file
- Copy the metadata URL
- Download the certificate file
- Copy the fingerprint
The AuthPoint metadata and certificate provides your resource with information that is necessary to identify AuthPoint and establish a trusted relationship between the third-party service provider and the identity provider (AuthPoint). This is necessary to configure MFA for a SAML resource.
To get the metadata or other necessary information for an AuthPoint certificate, from the AuthPoint management UI:
- Select Resources.
- Click Certificate.
- Next to your certificate, click and select an option to download the metadata, copy the metadata URL, download the certificate, or copy the fingerprint.
Some service providers require the metadata file to configure authentication, while others only require the metadata URL.