Configure MFA for an Application or Service

Applies To: AuthPoint Multi-Factor Authentication, AuthPoint Total Identity Security

Some of the features described in this help topic are only available to participants in the WatchGuard Beta program. To try AuthPoint multi-factor authentication with this feature, join the WatchGuard Beta test community.

SAML and OIDC are methods used to exchange information between a service provider and an identity provider. A service provider is the provider of a third-party service that users connect to, such as Salesforce or Microsoft. An identity provider, such as AuthPoint, authenticates users when they log in to a service or application.

AuthPoint has two different types of resources to provide MFA for applications and services.

AuthPoint SAML Resources

SAML resources connect AuthPoint and a service provider with the SAML protocol.

AuthPoint OIDC Resources

OIDC resources connect AuthPoint and an application with the OpenID Connect protocol. This protocol is built on OAuth 2.0 and uses JSON Web Tokens for identity information.

Add SAML or OIDC resources in AuthPoint and then create Zero Trust policies for the resources to require that users authenticate before they can connect to those services and applications.

When you add SAML resources, we recommend that you also add an IdP portal resource. The IdP portal is a portal page that shows users a list of SAML resources available to them. For more information, go to Configure the IdP Portal.

Refer to the AuthPoint Integration Guides for steps to configure AuthPoint MFA for specific applications and services.

SAML and OIDC Authentication Data Flow

This diagram shows the data flow of an MFA transaction for a SAML or OIDC resource with the push authentication method.

Diagram that shows the authentication flow for SAML resources.

When the user tries to log in to an application that requires authentication, the AuthPoint authentication page appears. To log in, the user types their AuthPoint password (if required) and chooses an authentication method. In this example, the user chooses to authenticate with a push notification. AuthPoint sends a push notification to the user's mobile device that the user approves to authenticate and log in.

When a user authenticates to a SAML or OIDC resource, the user receives a prompt to share their location. This prompt appears even if your AuthPoint account does not use geofence and geokinetics policy objects.

Configure Authentication for a Third-Party Application

To configure authentication for a third-party application, you can:

Add a SAML Resource in AuthPoint

Before you add a SAML resource, you must configure SAML authentication for your third-party service provider. To do this, you must get the AuthPoint metadata from the Certificate Management page in the AuthPoint management UI.

The AuthPoint metadata provides your resource with information that is necessary to identify AuthPoint and establish a trusted relationship between the third-party service provider and the identity provider (AuthPoint).

Some service providers require the metadata file to configure authentication, while others only require the metadata URL. Which one you need depends on the third-party service provider.

  1. From the AuthPoint navigation menu, select Resources.
  2. Click Certificate.

Screen shot that shows the Resources page.

  1. On the Certificate Management page, next to AuthPoint certificate you will associate with your resource, click and select an option to download the metadata, copy the metadata URL, download the certificate, or copy the fingerprint based on what the service provider for your resources requires.

    The AuthPoint metadata provides your resource with information necessary to identify AuthPoint as a trusted identity provider. This is necessary for SAML authentication.

Screen shot that shows the menu options for a certificate.

  1. Import the AuthPoint metadata file to the service provider and get the Service Provider Entity ID and Assertion Consumer Service from the service provider. These values are necessary to configure the SAML resource in AuthPoint. Refer to the AuthPoint Integration Guides for the steps to configure specific SAML resources.

After you import the AuthPoint metadata details, to add a SAML resource, in the AuthPoint management UI:

  1. From the AuthPoint navigation menu, select Resources.

Screen shot of the Resources page.

  1. Click Add Resource.

    The Add Resource page opens.

Screen shot of the Add Resource page.

  1. From the Type drop-down list, select SAML.
  2. In the Name text box, type a name for the resource.
  3. From the Application Type drop-down list, select the relevant application or select Others if the application is not listed. For the Others application type, you can specify the relay state, custom attributes, and a custom image to appear for this application in the IdP portal.

    You can click the Integration Guide link to open a help topic with the steps to set up your application. This link is context sensitive.

  4. (Optional) If you selected the Others application type, you can specify a Relay State parameter for this SAML resource.
  5. In the Service Provider Entity ID and Assertion Consumer Service text boxes, type the values from the service provider of the application.
  6. From the User ID drop-down list, select which user ID attribute to send to the service provider. The service provider compares the user ID attribute for the AuthPoint user with the user name in your application. These values must match.

    For example, Salesforce requires a user name in an email format that includes a domain. Because the AuthPoint user name does not include a domain, your user ID must be email to match the Salesforce user name.

  7. (Optional) Click Choose File to upload a certificate from the service provider. When you upload a certificate, you can select the Encryption enabled toggle to enable or disable encryption for the SAML communication.
  8. From the AuthPoint Certificate drop-down list, select the AuthPoint certificate to associate with your resource. This must be the same certificate that you downloaded the metadata for in the Configure Authentication for a Third-Party Application section.
  9. If applicable, complete any additional fields required for the application.
  10. (Optional) If you selected the Others application type, you can specify one or more custom attributes for this SAML resource. This is necessary for some applications. To add a custom attribute:
    1. Click Add Attribute.
      The Add Attribute window opens.
    2. Enter the Attribute Name. This value is case-sensitive.
    3. From the Get Value From drop-down list, select what value is used for this custom attribute. If the value is static, select Fixed value and specify the fixed value to use.
    4. Click Save.
  11. (Optional) If you selected the Others application type, you can upload a custom image to appear for this application in the IdP portal. To upload an image, drag an image file from your computer, or click Select a file to import and select an image file. The image file you upload must meet these requirements:
    • Maximum file size — 1 MB
    • Maximum width — 750 pixels
    • Maximum height — 500 pixels
    • Minimum width — 200 pixels
    • Minimum height — 150 pixels
  12. Click Save.
  13. Add the SAML resource to your Zero Trust policies, or add new Zero Trust policies for the SAML resource. Zero Trust policies specify which resources users can authenticate to and which authentication methods they can use. For more information, go to About Zero Trust Policies.

Add an OIDC Resource in AuthPoint

To add an OIDC resource in the AuthPoint management UI:

  1. From the AuthPoint navigation menu, select Resources.

    Screen shot of the Resources page.

  2. Click Add Resource.

    The Add Resource page opens.

    Screen shot of the Add Resource page.

  3. From the Type drop-down list, select OIDC.
    The OIDC settings appear.

  4. In the Name text box, type a name for the resource.
  5. In the OIDC Protocol Settings section, enable Code Exchange (PKCE).

    We recommend you enable this setting for all OAuth clients to improve security.

  6. In the URI text box, type the Redirect URI for your application.
  7. To add more URIs, click Add URI and type the additional Redirect URI.
  8. In the Default Scopes section, select the scopes that the application requires:
    • OpenID (required) — Returns the sub claim, which uniquely identifies the user.
    • Profile — Returns claims that represent basic profile information, including name, family_name, and given_name.
    • Email — Returns the email claim with the email address of the user.
  9. To add a custom claim, in the Custom Claim section, click Add Claim.
    The Add Claim dialog box opens.
    1. In the Claim Name text box, type the name of the claim.
    2. In the Get Value From column, select the source of the claim name.
    3. (Optional) In the Fixed Value column, type a static value.

      The Fixed Value option enables you to assign a constant value to the claim for all users who authenticate through this resource. You use this when the application expects a specific claim with the same value for every user (for example, role=admin or tenant=default).

    4. Click Save.

      Screenshot of the Add Claim settings

  10. Click Save.

Related Topics

AuthPoint Integration Guides

Certificate Management

Configure the IdP Portal

About Authentication