WatchGuard Account SSO Integration with Auth0

Deployment Overview

This document describes how to set up multi-factor authentication (MFA) for your WatchGuard accounts with Auth0 as an identity provider.

WatchGuard Account Authentication Data Flow with Auth0

Auth0 communicates with various cloud-based services and service providers with SAML protocol. This diagram shows the data flow of an MFA transaction for the WatchGuard Portal.

Topology diagram

Before You Begin

  • You have a tier-1 WatchGuard Cloud account, and an operator with the Owner or Administrator role
  • A token is assigned to a user in Auth0

Configure Okta

You must copy the WatchGuard Service Provider SAML Metadata URL from the WatchGuard Account SSO Configuration Wizard before you configure Auth0.

To configure Auth0:

  1. Go to www.watchguard.com and log in to the WatchGuard Portal with your WatchGuard user account credentials.
  2. In Support Center, select My WatchGuard > Manage Users.
    The Manage Users page opens.

Screenshot of WGID, picture1

  1. Click Configure SAML SSO.
  2. In the WatchGuard Service Provider SAML Metadata text box, copy the WatchGuard Service Provider SAML Metadata URL.

Screenshot of WGID, picture2

  1. Enter the WatchGuard Service Provider SAML Metadata URL into your web browser.
  2. From the WatchGuard Service Provider SAML Metadata file, copy the entityID and AssertionConsumerService Location values. You need this information to configure Auth0.
  3. Go to auth0.com and log in to Auth0 as an admin.
  4. Select User Management > Users > + Create User .

You must create the same user in WatchGuard Portal.

Screenshot of Auth0, picture1

  1. Click Create.
    The User page opens.
  2. Select Actions > Send Verification Email.
  3. Click Confirm.
    An activation email to verify your email is sent.
  4. Select Applications > Applications.
  5. Click + Create Application.
  6. In the Name text box, type a name. In our example, we type WG App.
  7. From the Choose an application type section, select Regular Web Applications.

Screenshot of Auth0, picture2

  1. Click Create.
  2. Select the Addons tab.

Screenshot of Auth0, picture3

  1. Enable SAML2 WEB APP.
  2. From the Identity Provider Metadatasection in the Usage tab, click Download to download the metadata file.

Screenshot of Auth0, picture4

  1. Go to the Settings tab.
  2. In the Application Callback URL text box, type or paste the AssertionConsumerService Location value from the WatchGuard Service Provider SAML Metadata file.
  3. In the Settings section, uncomment the audience line and change its value to the entityID value from the WatchGuard Service Provider SAML Metadata file.
  4. Scroll down and uncomment the nameIdentifierFormat line.
  5. Uncomment the nameIdentifierProbes.
  6. Uncomment the emailaddress claims for the nameIdentifierProbes.

Screenshot of Auth0, picture5

  1. (Optional ) Click Debug.
    An It Works! confirmation message appears when the debug is successful.
  2. Scroll down to the lower part of the page and click Enable.
  3. In the upper right corner, click × to close the current page.
  4. To enable Auth0 multi-factor authentication, select Security > Multi-factor Auth.
  5. In the Factors section, select Push via Auth0 Guardian.
  6. Enable Push via Auth0 Guardian.

Screenshot of Auth0, picture6

  1. Click Back to Multi-factor Authentication.
  2. In the Define policies section, for Require Multi-factor Auth, select Always.
  3. Click Save.
  4. Click Continue.

Configure SSO for Your WatchGuard Account

  1. From the WatchGuard Account SSO Configuration Wizard page, click Select a metadata file and upload the Auth0 metadata file you previously downloaded.

Screenshot of WGID, picture3

  1. Click Next.
  2. In the IDP Name text box, enter a name to identify your identity provider. In our example, we name the IDP Auth0.
  3. Leave other settings as the default values.

Screenshot of WGID, picture4

  1. Click Next to proceed through the SAML Configuration, Contact Information, and Support Message pages to the SSO Reference URLs page.
    The SSO Reference URLs page opens.

    The SSO reference URLs provide you with the direct links to the SSO log in pages for each account.

Screenshot of WGID, picture5

  1. Click Save.

For more information about how to create a user in the WatchGuard Portal, see Create a New User Account.

When you configure SAML SSO for your WatchGuard account, users can either log in with SSO or with their local user account. We recommend users log in with SSO to so they do not have to re-authenticate after their initial login.

Test the Integration

To test Auth0 MFA with your WatchGuard Account, you can use push, SMS, email, one-time password, or a combination of different methods, and enable them across all users and applications.

In this example, we show the push notification using the Guardian method.

  1. In a web browser, go to the WatchGuard Portal URL.
  2. Click Log in with SSO.
  3. In the IDP name text box, type the IDP name.
  4. Click Log In.
  5. In the Email address text box, type your email address.
  6. In the Password text box, type your password.
  7. Click Continue.
  8. For the authentication request that is sent to your mobile device, select Allow.
    You are logged in to WatchGuard Portal.