WatchGuard Account SSO Integration with Azure Active Directory

Deployment Overview

This document describes how to set up multi-factor authentication (MFA) for your WatchGuard accounts with Azure Active Directory as an identity provider.

WatchGuard Account Authentication Data Flow with Azure Active Directory

Azure Active Directory communicates with various cloud-based services and service providers with the SAML protocol. This diagram shows the data flow of an MFA transaction for the WatchGuard Portal.

Topology diagram

Before You Begin

  • You have an Azure Active Directory global administrator account within the Azure Active Directory tenant
  • You have a tier-1 WatchGuard Cloud account, and an operator with the Owner or Administrator role

Configure Azure Active Directory

You must copy the WatchGuard Service Provider SAML Metadata URL from the WatchGuard Account SSO Configuration Wizard and save the metadata file before you configure Azure Active Directory.

  1. Go to and log in to the WatchGuard Portal with your WatchGuard user account credentials.
  2. In Support Center, select My WatchGuard > Manage Users.
    The Manage Users page opens.

Screenshot of WGID, picture1

  1. Click Configure SAML SSO.
  2. In the WatchGuard Service Provider SAML Metadata text box, copy the WatchGuard Service Provider SAML Metadata URL.
  3. Enter the WatchGuard Service Provider SAML Metadata URL into your web browser.
  4. Right-click and click Save as to save the WatchGuard Service Provider SAML metadata file.

Screenshot of WGID, picture2

To configure Azure Active Directory:

  1. Log in to the Azure portal with your Microsoft Azure account credentials.
  2. Search for and click Azure Active Directory.
  3. To add a user in Azure AD, select Manage > Users > All users > + New user.
  4. Select Create user or Invite user. To log in with SSO, you must have a WatchGuard user account and an Azure user account. Both user accounts must have the same email address.

Screenshot of Azure, picture1

  1. Click Create.
  2. From the Azure Active Directory page, select Manage > Enterprise applications.
  3. Select Manage > All applications > + New application.
  4. Click + Create your own application.
  5. In the What's the name of your app? text box, type a name.
  6. Select Integrate any other application you don't find in the gallery (Non-gallery).

Screenshot of Azure, picture2

  1. Click Create.
  2. Select Manage > Single sign-on.

Screenshot of Azure, picture3

  1. In the Select a single sign-on method section, select SAML.
  2. Click Upload metadata file and upload the WatchGuard Service Provider SAML metadata file you just saved.

Screenshot of Azure, picture4

  1. Click Add.
  2. Click Save.

Screenshot of Azure, picture5

  1. In the SAML Signing Certificate section, find Federation Metadata XML, and click Download.
  2. Select Manage > Users and groups.
  3. Click + Add user/group.
  4. Click None Selected, and select the user you created.
  5. Click Select.
  6. Click Assign.

Screenshot of Azure, picture6

  1. To enable Azure AD multi-factor authentication, select Security > Conditional Access.
  2. Select + New policy > Create new policy.
  3. In the Name text box, type a policy name.
  4. Under Assignments, for Users or workload identities, click 0 users or workload identities selected.
  5. From the What does this policy apply to? drop-down list, select Users and groups.
  6. Under Include, choose Select users and groups.
  7. Check Users and groups.
  8. Click 0 users and groups selected, under the Select section, search for and select the user or group and click Select.

Screenshot of Azure, picture7

  1. Under Access controls, for Grant, click 0 controls selected.
  2. Select Grant access.
  3. Check Require multi-factor authentication.
  4. In the For multiple controls section, select Require all the selected controls.

Screenshot of Azure, picture8

  1. Click Select.
  2. Under Enable policy, select On.
  3. Leave the default value for other settings.
  4. Click Create.

Configure SSO for Your WatchGuard Account

  1. From the WatchGuard Account SSO Configuration Wizard page, click Select a metadata file and upload the Azure AD metadata file you downloaded.

Screenshot of WGID, picture3

  1. Click Next.
  2. In the IDP Name text box, type a name to identify your identity provider (Azure Active Directory). In our example, we name the IDP Azure Active Directory.
  3. Leave the default value for other fields.

Screenshot of WGID, picture4

  1. Click Next to proceed through the SAML Configuration, Contact Information, and Support Message pages to the SSO Reference URLs page.
    The SSO Reference URLs page opens.

    The SSO reference URLs provide you with the direct links to the SSO login page for each account.

Screenshot of WGID, picture5

  1. Click Save.

When you configure SAML SSO for your WatchGuard account, users can either log in with SSO or with their local user account. We recommend users log in with SSO to so they do not have to re-authenticate after their initial login.

Test the Integration

To test Azure AD MFA with your WatchGuard Account, you can choose any method (Microsoft Authenticator notification, Microsoft Authenticator code, SMS code, or Phone call).

In this example, we show the Microsoft Authenticator notification method.

  1. In a web browser, go to the WatchGuard Portal URL.
  2. Click Log in with SSO.
  3. In the IDP name text box, type the IDP name.
  4. Click Log In.
  5. In the Sign in text box, type your email.
  6. Click Next.
  7. In the Enter password text box, type your password.
  8. Click Sign in.
  9. For the authentication method, select Approve a request on my Microsoft Authenticator app.
  10. Approve the authentication request that is sent to your mobile device.
  11. Click Yes.
    You are logged in to WatchGuard Portal.