FireCloud Integration with Auth0

This document describes how to set up multi-factor authentication (MFA) for FireCloud with Auth0 as an identity provider.

Contents

WatchGuard FireCloud Authentication Data Flow with Auth0

Auth0 communicates with various cloud-based services and service providers using the SAML protocol. This diagram shows the data flow of an MFA transaction for WatchGuard FireCloud.

The screenshot of workflow topology

Before You Begin

Before you begin these procedures, make sure that:

  • You have an Auth0 administrator account.
  • A token is assigned to a user in Auth0.
  • You have a WatchGuard Cloud operator account.

Configure Auth0

To configure Auth0, complete these steps:

  1. Create and Activate Users in Auth0.
  2. Create and Configure Applications in Auth0.
  3. Enable Auth0 Multi-factor Authentication.

Create and Activate Users in Auth0

If you don't have any users in Auth0 yet, follow these steps in this section to create and activate users in Auth0:

  1. Log in to Auth0 with an administrator account.

Screenshot of the Auth0 users page, where you create a new user.

  1. Select User Management > Users.
  2. Click + Create User.
    The Create User window appears.

Screenshot of the Create User window.

  1. Leave the default value in the Connection drop-down list.
  2. In the Email text box, type your email address.
  3. In the Password text box, type a password.
  4. In the Repeat Password text box, type your password again.
  1. Click Create. When you create a new user with an email address that has not been used before, Auth0 automatically sends an activation email message to verify your account.
    The User page opens.

Screenshot of the User Details page, where you can resend the verification email message.

  1. (Optional) If you couldn't receive the activation email for your account, select Actions > Send Verification Email.
  2. (Optional) Click Confirm.
    An activation email message is sent to verify your email address.
  1. From the Multi-Factor Authentication section, click Send an enrollment invitation.
    An invitation email is sent for user MFA enrollment.

Create and Configure Applications in Auth0

To create and configure an application in Auth0:

  1. From the left navigation pane, select Applications > Applications.

Screenshot of the Applications page.

  1. Click + Create Application.
    The Create Application page opens.

Screenshot of the Create Application page.

  1. In the Name text box, type a descriptive name. In our example, we enter WatchGuard FireCloud.
  2. From the Choose an application type section, select Regular Web Applications.
  3. Click Create.
    The Application you created opens.

Screenshot of the Regular Web Application page.

  1. Select the Addons tab.
  2. Enable SAML2 Web App.
    The Addon: SAML2 Web App window appears.

Screenshot of the Addon SAML2 Web App window.

  1. Select the Usage tab.
  2. In the SAML Protocol Configuration Parameters section, copy the Issuer and Identity Provider Login URL values. You need this information when you configure FireCloud.
  3. Click Download Auth0 certificate to download the Identity Provider Certificate. You need this certificate when you configure FireCloud.
  4. Select the Settings tab.
    The Settings page opens.

Screenshot of Auth0, Original settings of Addon SAML2 Web App

  1. In the Application Callback URL text box, type https://authsvc.firecloud.your WatchGuard Cloud region.cloud.watchguard.com/v1/acs.

    To find your account region, log in to WatchGuard Cloud and go to Administration > My Account. Your region is listed under the Data Zone heading. To get the associated region code, refer to WatchGuard Cloud URLs and Network Access Requirements.

  2. From the Settings section, delete the // to uncomment the audience line.
  3. Change the Audience value to any new value. In our example, we enter WatchGuardFireCloud. This is the entityID value. Note this value. You need this value when you configure FireCloud.

Screenshot of Addon SAML2 Web App window.

  1. Uncomment the nameIdentifierFormat and nameIdentifierProbes lines.
  2. Uncomment the http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress claims under the nameIdentifierProbes line.

Screenshot of Auth0, Settings of Addon SAML2 Web App

  1. (Optional) Click Debug.
    Auth0 shows a confirmation message when the debug is successful.
  2. To save your changes, scroll down to the bottom of the page, then click Enable.
  3. To close the page, in the upper right corner, click ×.

Enable Auth0 Multi-factor Authentication

To enable Auth0 multi-factor authentication:

  1. Select Security > Multi-factor Auth.
    The Multi-factor Authentication page opens.
  2. From the Factors section, enable at least one factor. For this example, we select Push Notification Using Auth0 Guardian.
    The Push Notification Using Auth0 Guardian page opens.

Screenshot of Auth0, MFA facotrs page

  1. Enable Push Notification using Auth0 Guardian.
  2. Click Back to Multi-factor Authentication.

Screenshot of the Push Notification using Auth0 Guardian page.

  1. Scroll down to the Define policies section. For Require Multi-factor Auth, select Always.

Screenshot of Auth0, Define policies

  1. Click Save.
  2. Click Continue.

Configure SSO for FireCloud

To configure SSO for FireCloud:

  1. Log in to WatchGuard Cloud with your WatchGuard Cloud operator account credentials. If you log in with a Service Provider account, you must select a Subscriber account from the Account Manager.
  2. From the navigation menu, select Configure > FireCloud.
  3. Click Set Up FireCloud.
  4. Select Connect to Your Identity Provider.
  5. Click Next.
  6. In the SAML Service Provider Entity ID text box, type the audience value that you configured in the previous section. In our example, we type WatchGuardFireCloud.
  7. In the Identity Provider ID text box, type or paste the Issuer value you copied from the previous section.
  8. In the Single Sign-On URL text box, type or paste the Identity Provider Login URL value you copied from the previous section.
  9. In the IDP Certificate text box, click the upload icon and upload the identity provider certificate you downloaded in the previous section.

Screenshot of the FireCloud Authentication page.

  1. Click Save.
  2. Click Done.
  3. From the FireCloud navigation menu, select Client Download > Download Installer.

Screenshot of FireCloud Client Download page.

  1. Run the client installer on your Windows client.
  2. Click Install. The installation of the WatchGuard Agent can take several minutes.
  3. When the installation is complete, click Finish.
  4. After the WatchGuard Agent is installed, the agent automatically downloads and installs the Connection Manager. When this is finished, the Connection Manager opens and you are prompted to enter your credentials to connect to FireCloud. We will test the login process in the next section.

    Caution: You cannot install the WatchGuard Connection Manager on computers that have Panda endpoint security products installed. The WatchGuard Connection Manager is only compatible with WatchGuard Endpoint Security products.

Test the Integration

To test Auth0 MFA with FireCloud, you can authenticate with a mobile token on your mobile device. You can choose push notification, one-time password, SMS, or email, and enable them across all users and applications.

In this example, we show the push notification method.

  1. Open the WatchGuard Connection Manager client.
  2. In the Email address text box, type your email address.
  3. In the Password text box, type your password.

Screenshot that shows the SSO authentication page in the WatchGuard Connection Manager.

  1. Click Continue.

Screenshot of second factor authentication page in the WatchGuard Connection Manager.

  1. Approve the authentication request sent to your mobile device.
    You are connected to FireCloud.