FireCloud Integration with Google Workspace

Google Workspace is a suite of business productivity and collaboration tools based on Google Identities (Google Accounts). Google Workspace includes the functionality provided by Cloud Identity for user management. Google Accounts provides access to Google products and services, including Google Cloud.

Both Google Workspace and Google Cloud Identity support SAML 2.0 protocols, in this example, we use Google Workspace to serve as the identity provider. If you are not using Google Workspace, Cloud Identity is available as a standalone product that can be used as an identity provider.

This document describes how to set up multi-factor authentication (MFA) for FireCloud with Google Workspace as an identity provider.

Contents

WatchGuard FireCloud Authentication Data Flow with Google Workspace

Google Workspace communicates with various cloud-based services and service providers with the SAML protocol. This diagram shows the data flow of an MFA transaction for WatchGuard FireCloud.

The screenshot of workflow topology

Before You Begin

Before you begin these procedures, make sure that:

  • You have a Google Workspace Super Admin account.
  • You have a WatchGuard Cloud account.
  • You have created a user in Google Workspace and a token is assigned to the user in Google Authenticator.

Additional charges might apply to use Google Workspace.

Configure Google Workspace

Complete the steps in this section to configure Google Workspace as your FireCloud identity provider.

Create a Group in Google Workspace

  1. Log in to the Google Admin Console with your super admin account.
  2. Select Directory > Groups > Create group.
    The Group information page opens.
  3. Enter a Group name and Group email.

Screenshot of Google Workspace, GCI-Group-information

  1. Click Next.

    The Group settings page opens.

  2. In the Access type section, select one of the available access types. In our example, we use the default Public access type.
  3. Leave the default value for all other fields.

Screenshot of Google Workspace, GCI-Group-settings

  1. Click Create Group.

Screenshot of Google Workspace, GCI-Group-settings

  1. Click Add members to Group name.
  2. Click Add members.
  3. Enter the email address of the users that you want to add to this group.

Screenshot of Google Workspace, GCI-add members to group 002

  1. Click Add To Group.
    It might take some time for the changes to reflect. You can refresh your browser window to see the results.

Screenshot of Google Workspace, GCI-add members to group 003

Enable 2-Step Verification in Google Workspace

Before you configure the 2-Step Verification policy for your group, make sure users in that group are enrolled in 2-step verification. Users who do not have second steps sign-in options will not be able to sign in to their accounts when 2-step verification enforcement is enabled for their group.

For information on how to enable 2-step verification for your Google account, go to Turn on 2-Step Verification in the Google documentation.

  1. Log in to the Google Admin Console with your super admin account.
  2. Select Security > Authentication > 2-Step verification.
    The 2-Step Verification page opens.
  3. In the Security Settings section, click The screenshot of expand icon to expand the Groups, search, and then select the group you created in the previous section.
    The Apply policies to security groups window opens.

Screenshot of Google Workspace, GCI-policies-to-securiy-group

  1. Click Close.
  2. In the 2-Step Verification section, select the Allow users to turn on 2-Step Verification check box.
  3. For Enforcement, select On.
  4. Leave the default value for all other fields.

Screenshot of Google Workspace, GCI-2-Step-Verification

  1. Scroll down to the bottom of the page and click Save.

Configure Google Workspace as a SAML Identity Provider

To configure Google Workspace as a SAML identity provider:

  1. Log in to the Google Admin Console with your super admin account.
  2. Select Apps > Web and mobile apps.
  3. From the Add app drop-down list, select Add custom SAML app.
    The Add custom SAML app page opens.

Screenshot of Google Workspace, GCI-Add-custom-SAML-up

  1. in the App name text box, type a name for the app.
  2. (Optional) In the Description text box, type a description for the app.
  3. (Optional) Upload an app icon.

Screenshot of Google Workspace, GCI-App_details

  1. Click Continue.
    The wizard continues to the Google Identity Provider details page.
  2. On the Google Identity Provider details page, copy the SSO URL and Entity ID values. You need these values when you set up FireCloud.
  3. In the Certificate section, click The screen shot of download icon to download the Google certificate. You need this certificate when you set up FireCloud. If there is no certificate, or if the certificate has expired, go to Security > Authentication > SSO with SAML applications to add a new certificate for your service provider. For more information, go to Maintain SAML certificates in the Google documentation.

Screenshot of Okta, create General Settings of SAML integration

  1. Click Continue.
    The wizard continues to the Service provider details page.
  2. In the ACS URL text box, type https://authsvc.firecloud.your WatchGuard Cloud region.cloud.watchguard.com/v1/acs

    To find your account region, log in to WatchGuard Cloud and go to Administration > My Account. Your region is listed under the Data Zone heading. To get the associated region code, refer to WatchGuard Cloud URLs and Network Access Requirements.

  3. In the Entity ID text box, type a value to identify FireCloud as your service provider. You must use this value when you configure FireCloud. In our example, we type WatchGuardFireCloud.
  4. Leave the default value for all other fields.

Screenshot of Google Workspcace. GCI-service-provider-details

  1. Click Continue.
    The wizard continues to the Attribute mapping page.
  2. In the Group membership (optional) section, click Search for a group. Then select the group you created in the previous section.
  3. In the App attribute text box, type groups.

Screenshot of Google Workspace, GCI attribute mapping

  1. Click Finish.
    The App page opens. In this example, our app is named FireCloud.

Screenshot of Okta, metadata detail of the SAML application

  1. In the User access section, click The scren shot of expand icon.
    The Service status page opens.
  2. On the left toolbar, click The screen shot of expand icon to expand the Groups section. Then search for and select the group you created in the previous section.
    The Apply policies to security groups window opens.

Screenshot of Google Workspace, GCI pop-up notification

  1. Click Close.
  2. Select the Service status check box.

Screenshot of Google Workspace, GCI service status

  1. Click Save.

Configure FireCloud

To configure SSO for FireCloud:

  1. Log in to WatchGuard Cloud with your WatchGuard Cloud operator account credentials. If you have a Service Provider account, you must select an account from the Account Manager.
  2. Select Configure > FireCloud.
  3. Click Set Up FireCloud.
  4. Click Connect to Your Identity Provider.
  5. Click Next.
  6. In the SAML Service Provider Entity ID text box, type the Entity ID value that you configured in the previous section. In our example, we enter WatchGuardFireCloud.
  7. In the Identity Provider ID text box, type or paste the Google Workspace Entity ID value you copied from the previous section.
  8. In the Single Sign-On URL text box, type or paste the SSO URL value you copied from the previous section.
  9. In the IDP Certificate text box, click the upload icon The screen shot of upload icon and upload the certificate you downloaded in the previous section.

Screenshot of WGC, configure SAML Identity provider

  1. Click Save.
  2. Click Done.
  3. From the navigation menu, select Client Download.
  4. Click Download Installer.

Screenshot of WGC, firecloud client download

  1. Run the client installer on your Windows client.
  2. Click Install. The installation of the WatchGuard Agent can take several minutes.
  3. When the installation is complete, click Finish.
  4. After the WatchGuard Agent is installed, the agent automatically downloads and installs the Connection Manager. When this is finished, the Connection Manager opens and you are prompted to enter your credentials to connect to FireCloud. We will test the login process in the next section.

    Caution: You cannot install the WatchGuard Connection Manager on computers that have Panda endpoint security products installed. The WatchGuard Connection Manager is only compatible with WatchGuard Endpoint Security products.

Test the Integration

To test Google MFA with FireCloud, you can authenticate with a mobile token on your mobile device. You can choose Google Prompts, one-time password (OTP), passkeys, text messages, or phone calls.

In this example, we use the OTP authentication method.

  1. Open the WatchGuard Connection Manager .
  2. In the Email or phone text box, type your user email address or phone number.

Screenshot of WatchGuard Connection Manager, login authenticate page

  1. Click Next.
  2. In the Enter your password text box, type your password.
  3. Click Next.
    The 2-Step Verification page opens.

Screenshot of WatchGuard Connection Manager, login authenticate page

  1. Type the code from your Google Authenticator App.
  2. Click Next.
    You are successfully connected to FireCloud.