WatchGuard Account SSO Integration with Okta

Deployment Overview

This document describes how to set up multi-factor authentication (MFA) for your WatchGuard accounts with Okta as an identity provider.

WatchGuard Account Authentication Data Flow with Okta

Okta communicates with various cloud-based services and service providers with the SAML protocol. This diagram shows the data flow of an MFA transaction for the WatchGuard Portal.

Before You Begin

Before you begin these procedures, a token must be assigned to a user in Okta.

Configure Okta

You must copy the WatchGuard Service Provider SAML Metadata URL from the WatchGuard Account SSO Configuration Wizard before you configure Okta.

To configure Okta:

  1. Log in to WatchGuard Portal with your WatchGuard user account credentials.
  2. In Support Center, select My WatchGuard > Manage Users.

Screenshot of WGID, picture1

  1. Click Configure SAML SSO.
  2. In the WatchGuard Service Provider SAML Metadata text box, copy the WatchGuard Service Provider SAML Metadata URL.

Screenshot of WGID, picture2

  1. Enter the WatchGuard Service Provider SAML Metadata URL into your web browser.
  2. From the WatchGuard Service Provider SAML Metadata file, copy the entityID and AssertionConsumerService Location values. You need this information to configure Okta.
  3. Log in to the Okta Admin Console.
  4. Select Directory > Groups > Add Group.
  5. In the Name text box, type a group name.

Screenshot of Okta, picture1

  1. Click Save.
  2. To add a user in Okta, select Directory > People > Add person.
    You can add your own user information, but you must create the same user on WatchGuard Portal.

Screenshot of Okta, picture2

  1. Click Save.
  2. Select Applications > Applications.

Screenshot of Okta, picture3

  1. Click Create App Integration.
  2. On the Create a new app integration page, select SAML 2.0.

Screenshot of Okta, picture4

  1. Click Next.
  2. In the App name text box, type a name.
  3. (Optional) To upload a logo, use App logo . Click the Upload icon, then select an image to upload.

Screenshot of Okta, picture5

  1. In the Single sign on URL text box, type or paste the AssertionConsumerService Location value from the WatchGuard Service Provider SAML Metadata file.
  2. In the Audience URI (SP Entity ID) text box, type or paste the entityID value from the WatchGuard Service Provider SAML Metadata file.
  3. From the Application username drop-down list, select Email.

Screenshot of Okta, picture6

  1. Keep the default value for all other settings.
  2. Click Next.
  3. In the Are you a customer or partner? section, select an option:
    • I'm an Okta customer adding an internal app — Most deployments are in this category.
    • I'm a software vendor. I'd like to integrate my app with Okta — Select this option if your company is deploying a service for general public use.

Screenshot of Okta, picture7

  1. Click Finish.
  2. Select the Sign On tab.
  3. Copy the Identity Provider metadata link.
    The link is in this format: https://<okta account name>.okta.com/app/<random value>/sso/saml/metadata

Screenshot of Okta, picture8

  1. Select the Assignments tab.
  2. Select Assign > Assign to Groups.
    You can also select Assign to People.
  3. Select the group and click Assign.
  4. Click Done.

Screenshot of Okta, picture9

Configure SSO for Your WatchGuard Account

  1. From the WatchGuard Account SSO Configuration Wizard page, in the Metadata URL text box, type or paste the Okta metadata URL you copied in the previous section.

Screenshot of WGID, picture3

  1. Click Next.
  2. In the IDP Name text box, enter a name to identify your identity provider (Okta). In our example, we name the IDP Okta.
  3. Leave other settings as the default values.

Screenshot of WGID, picture4

  1. Click Next.
  2. Click Next on the Contact Information and Support Message pages.

Screenshot of WGID, picture5

  1. Click Save.

For more information about how to create a user on WatchGuard Portal, see Create a New User Account.

When you configure SAML SSO for your WatchGuard account, users can either log in with SSO or with their local user account. We recommend users log in with SSO to so they do not have to re-authenticate after their initial login.

Test the Integration

To test Okta MFA with WatchGuard account, you can authenticate with a mobile token on your mobile device. You can choose push, or Time-based one-time password (TOTP).

In this example, we show the push authentication method.

  1. In a web browser, go to the WatchGuard Portal URL.
  2. Click Log in with SSO.
  3. In the IDP name text box, type the IDP name.
  4. Click Log In.
  5. In the Username text box, type your Okta username or email.
  6. Click Next.
  7. For the authentication method, select Get a push notification.
  8. For the authentication request that is sent to your mobile device, click Yes, It's Me.
  9. In the Password text box, type your password.
  10. Click Verify.
    You are logged in to WatchGuard Portal.