FireCloud Integration with Okta

This document describes how to set up multi-factor authentication (MFA) for FireCloud with Okta as an identity provider.

Contents

FireCloud Authentication Data Flow with Okta

Okta communicates with various cloud-based services and service providers using the SAML protocol. This diagram shows the data flow of an MFA transaction for FireCloud.

The screenshot of workflow topology

Before You Begin

Before you begin these procedures, make sure that:

  • You have an Okta administrator account.
  • A token is assigned to a user in Okta.
  • You have a WatchGuard Cloud account.

Additional charges might apply to use Okta.

Configure Okta

To configure Okta, complete these steps:

  1. Add Group and Person in Okta.
  2. Configure SAML Application in Okta.

Add a Group and User in Okta

If you don't have any user or group for the integration, follow the steps in this section to create a group and user in Okta:

  1. Log in to the Okta admin console with your Okta administrator account.
  2. Select Directory > Groups > Add Group.
    The Add Group dialog appears.
  3. In the Name text box, type a group name. For our example, we enter FireCloud Group.

    4. Screenshot of Okta, create group

  4. Click Save.
  5. To add a user in Okta, select Directory > People > Add Person.
    The Add Person page appears.
  6. For the Group text box, type the group name of the group you just created. In our example, we type FireCloud Group.

    7. Screenshot of Okta, add person

  7. Click Save.
  8. After you add a user account, you sign in to Okta in order to activate the Okta token that you use for MFA.

Configure a SAML Application in Okta.

  1. Log in to the Okta Admin Console.
  2. Select Applications > Applications.
    The Applications page opens.
  3. Click Create App Integration.
    The Create a new app integration dialog appears.
  4. For the Sign-in method, select SAML 2.0.

    5. Screenshot of Okta, create a new app integration

  5. Click Next.
    The Create SAML Integration page opens.
  6. In the App Name text box, type a descriptive name.

    7. Screenshot of Okta, create General Settings of SAML integration

  7. Click Next.
    The page changes to the Configure SAML section.

  8. In the Single Sign On URL text box, type https://authsvc.firecloud.your WatchGuard Cloud region.cloud.watchguard.com/v1/acs.

    To find your account region, log in to WatchGuard Cloud and go to Administration > My Account. Your region is listed under the Data Zone heading. To get the region code, refer to WatchGuard Cloud URLs and Network Access Requirements.

  9. In the Audience URI (SP Entity ID) text box, enter any value to be your entity ID. You must use this same value when you configure FireCloud in the next section.
  10. In the Attribute Statements (optional) section, in the Name text box type groups
  11. In the Value text box, type User groups.

    12. Screenshot of Okta, Configure SAML of SAML integration

  12. Leave the default values for all other settings.
  13. Click Next.
    The page changes to the Feedback section.
  14. In the Feedback section, enter the required information.

    15. Screenshot of Okta, create Feedback of SAML integration

  15. Click Finish.
    The SAML application you created opens.
  16. Select the Sign On tab.

    17. Screenshot of Okta, Sign On page of SAML application

  17. From the SAML 2.0 section, click More details.
    More details about SAML 2.0 are shown.
  18. In the Metadata details section, copy the Sign on URL and Issuer values. You need this information when you configure FireCloud.
  19. Click Download to download the Signing Certificate. You need this certificate when you configure WatchGuard FireCloud.

    20. Screenshot of Okta, metadata detail of the SAML application

  20. Select the Assignments tab.
  21. Select Assign > Assign to Groups. You can assign the application to people or groups. In our example, we assign the application to groups.

    22. Screenshot of Okta, Assignment page of SAML application Step 1

  22. Choose a group, then click Assign.

    23. Screenshot of Okta, Assignment page of SAML application step 2

  23. Click Done.

    24. Screenshot of Okta, Assignment page of SAML application step 3

Configure SSO for FireCloud

To configure an identity provider for FireCloud:

  1. Log in to WatchGuard Cloud with your WatchGuard Cloud operator account credentials. If you log in with a Service Provider account, you must select a Subscriber account from the Account Manager.
  2. From the navigation menu, select Configure > FireCloud.
  3. Click Set Up FireCloud.
  4. Select Connect to Your Identity Provider.

    5. Screenshot of WGC, configure SAML Identity provider

  5. Click Next.
  6. Select SAML Identity Provider.
  7. In the SAML Service Provider Entity ID text box, type the Audience URI (SP Entity ID) value that you defined in the previous section.
  8. In the Identity Provider ID text box, type or paste the Issuer value you copied from the previous section.
  9. In the Single Sign-On URL text box, type or paste the Sign on URL value you copied from the previous section.
  10. For the IDP Certificate, click the upload icon to upload the Signing Certificate you downloaded in the previous section.

    11. Screenshot of WGC, configure SAML Identity provider

  11. Click Save.
  12. Click Done.
  13. From the FireCloud navigation pane, select Client Download > Download Installer.

    14. Screenshot of WGC, firecloud client download

  14. Run the WatchGuard Agent installer on your Windows computer.
  15. Click Install. The installation of the WatchGuard Agent can take several minutes.
  16. When the installation is complete, click Finish.
  17. After the WatchGuard Agent is installed, the agent automatically downloads and installs the Connection Manager. When this is finished, the Connection Manager opens and you are prompted to enter your credentials to connect to FireCloud.

    Caution: You cannot install the WatchGuard Connection Manager on computers that have Panda endpoint security products installed. The WatchGuard Connection Manager is only compatible with WatchGuard Endpoint Security products.

Test the Integration

To test Okta MFA with FireCloud, you can authenticate with a token on your mobile device. You can choose a push notification or one-time password.

In this example, we show the notification push authentication method.

  1. Open the WatchGuard Connection Manager client. The client should open automatically and prompt you to authenticate after the installation is complete.
  2. In the Username text box, type your user name.

    3. Screenshot of WatchGuard Connection Manager, login authenticate page

  3. Click Next.
  4. From the Verify it's you with a security method section, select Get a push notification.
  5. Open your Okta Verify app, then click Yes, It's Me.
  6. In the Password text box, type the user password.
  7. Click Verify.
    Successfully connected to FireCloud.