AuthPoint Deployment Guide

This help topic shows you how to set up and fully deploy AuthPoint, WatchGuard's multi-factor authentication solution. For a shorter overview of how to get started and test AuthPoint, see Quick Start — Set Up AuthPoint.

You manage AuthPoint from WatchGuard Cloud. For more information about WatchGuard Cloud, see About WatchGuard Cloud.

When you set up AuthPoint, we recommend that you first connect AuthPoint to your firewall and LDAP database. To do this, you must download and install the AuthPoint Gateway that connects them with AuthPoint, then add a RADIUS client or Fireboxresourcefor your firewall and an external identity for your LDAP database.

Next, you can add SAML resources for the applications that your users connect to and create authentication policies for those resources.

Finally, when everything is set up and ready to go, sync users from your LDAP database to AuthPoint.

You manage AuthPoint from WatchGuard Cloud. There are two types of WatchGuard Cloud account — Service Provider and Subscriber — each with a different view of WatchGuard Cloud.

You can determine whether you have a Service Provider account or a Subscriber account based on the appearance of the WatchGuard Cloud UI and the navigation menu.

If you see an Account Manager menu and the navigation menu includes an Inventory menu option, then you have a Service Provider account.

If you see a dashboard similar to this and no Account Manager menu, then you have a Subscriber account.

If you have a Service Provider account, before you can set up AuthPoint, you must go to the Inventory page and allocate AuthPoint user licences to your account. For more information, see Allocate Users to Your Account.

You configure and manage AuthPoint from the Configure Services section of WatchGuard Cloud.

To navigate to the AuthPoint management UI in WatchGuard Cloud:

  1. Log in to WatchGuard Cloud at http://cloud.watchguard.com/.
    The WatchGuard Cloud Dashboard page is shown.
  2. From the navigation menu, select Configure > AuthPoint. If you have a Service Provider account, you must select an account from Account Manager.
    The AuthPoint Summary page opens.

The AuthPoint Gateway is a lightweight software application that you install on your network to synchronize user account information between your LDAP or Active Directory server and AuthPoint.

The Gateway functions as a RADIUS server and is required for RADIUS authentication and for LDAP synced users to authenticate with SAML resources. You must install the Gateway so that AuthPoint can communicate with your RADIUS clients and LDAP databases.

Before you install the Gateway, you must configure it in the AuthPoint management UI.

To configure and install the AuthPoint Gateway:

  1. From the AuthPoint navigation menu, select Gateway.
  2. Click Add Gateway.

  1. In the Name text box, type a descriptive name for the Gateway.

  1. Click Save.
  2. On the Gateway page, at the bottom of the tile for your Gateway, click Registration Key.

  1. In the Gateway Registration Key dialog box, copy the registration key. You need this value to install the Gateway.

    The Gateway registration key is a one-time use key. If the installation of the Gateway fails, you must generate a new key to use for the installation.

  1. From the navigation menu, select Downloads.
  2. In the Gateway Installer section, click Download.

  1. Run the downloaded Gateway installer anywhere on your network that has Internet access and that can connect to your RADIUS clients and LDAP server(s).

    WatchGuard AuthPoint Gateway Setup dialog box opens.
  2. In the Gateway Registration Key text box, type or paste the Gateway registration key you copied from AuthPoint.
  3. Click Install.

  1. Click Finish.

  1. In the AuthPoint management UI, on the Gateway page, check the circular icon next to your Gateway name. A green icon indicates that the Gateway is successfully installed and can communicate with AuthPoint.

    If the installation of the Gateway fails, you must generate a new registration key to use for the installation. For more information, see Gateway Registration Key.

External identities connect to user databases to get user account information and validate passwords. To sync users from an external user database, you must add an external identity.

In this example, we show the steps to sync users from Active Directory or a Lightweight Directory Access Protocol (LDAP) database. To learn how to create an external identity to sync users from Azure Active Directory, see Sync Users from Azure Active Directory.

To add an external identity, from the AuthPoint management UI:

  1. Select External Identities.
  2. From the Choose an External Identity Type drop-down list, select LDAP. Click Add External Identity.

  1. In the Name text box, type a descriptive name for the external identity.
  2. In the LDAP Search Base text box, type your LDAP database. In this example, the domain is example.com so we type dc=example,dc=com. Tip!

    For more information about LDAP syntax and how to use a search base to limit the directories on the authentication server where the external identity can search for users, see Find Your Active Directory Search Base.

  1. In the System Account and Passphrase text boxes, type the credentials for a user that has permissions to perform LDAP searches and binds. If this user is not in the default Users folder, select the toggle and type the full distinguished name of the user. Tip!

    In this example, we have a user named administrator that is in an OU called AuthPoint (not the default Users folder). So, we must select the toggle and type the distinguished name of our user as CN=administrator,OU=AuthPoint,DC=example,DC=com.

    If the user is in the Users folder and the user name is different than the account name (sAMAccountName), you must type the account name in the System Account text box.

  1. From the Synchronization Interval drop-down list, specify how often you want to synchronize the LDAP database. If you select Every 24 hours, you must also specify what time the synchronization starts each day.
  2. For Type, select whether this is an Active Directory server or a different type of LDAP database. For other databases, you must specify each attribute value. You do not have to do this for Active Directory because the attribute values are known.
  3. In the Domain text box, type your LDAP domain name.
  4. If this not an Active Directory server, type a value for each attribute.

    If your Active Directory users use ADFS, you must keep the default sAMAccountName value for the attribute related to user login.

  1. In the Server Address text box, type the IP address of your LDAP server.
  2. In the Server Port text box, type the port for your server.

  1. (Optional) To add a redundant address for your external identity, click Add Redundant Address and type a different address and port for the same LDAP database.
  2. Click Save.

Next, you must add your external identity to the configuration for your AuthPoint Gateway. After you do that, you can test the connection to your LDAP database.

  1. From the navigation menu, select Gateway.
  2. Click the Name of your Gateway.
  3. In the LDAP section, in the Select an LDAP external identity list, select your LDAP or Active Directory server.

  1. Click Save.
  2. From the navigation menu, select External Identities.
  3. Next to the external identity you added for your LDAP database, click and select Check Connection.

AuthPoint is now connected to your LDAP database. You can create a query to sync users, but before you do that we recommend that you add resources for all of the applications and services that you want to require authentication for.

In AuthPoint, resources are the applications that you protect with AuthPoint. When you add a resource, you provide the information required for AuthPoint to connect to that resource.

When you add and configure a resource in AuthPoint, authentication is required to log in to that resource. For each resource, users must be a member of a group that has an authentication policy that includes that resource in order to authenticate and log in.

Users who are not a member of groups that have an authentication policy for a specific resource cannot authenticate to log in to that resource.

See AuthPoint Integration Guides for more information about how to set up authentication with specific third-party services and applications.

To enable AuthPoint as an authentication server on a Firebox that runs Fireware 12.7 or higher, configure a Firebox resource in AuthPoint. This makes it easier to configure AuthPoint MFA for:

  • Mobile VPN with SSL
  • Mobile VPN with IKEv2
  • Firebox Web UI
  • Firebox Authentication Portal

When you configure a Firebox resource to add MFA to a Firebox, AuthPoint receives the IP address of the end user, so network location policy objects apply when a user authenticates with a VPN client.

You do not have to add a Firebox resource to your Gateway configuration, even if the Firebox resource has MS-CHAPv2 enabled. In this scenario, the Firebox validates the user password with NPS and AuthPoint authenticates the user with MFA.

Before you configure a Firebox resource, make sure that you have registered and connected the device to WatchGuard Cloud as a locally-managed Firebox. For cloud-managed Fireboxes and Fireboxes that run Fireware v12.6.x or lower, we recommend that you configure a RADIUS client resource for the Firebox.

For detailed instructions to register and connect your Firebox to WatchGuard Cloud, see Add a Locally-Managed Firebox to WatchGuard Cloud.

To add a Firebox resource:

  1. From the navigation menu, select Resources.

    The Resources page opens.

  1. From the Choose a Resource Type drop-down list, select Firebox. Click Add Resource.

    The Firebox resource page opens.

Screenshot of the Firebox resource page.

  1. In the Name text box, type a descriptive name for the resource.
  2. From the Firebox drop-down list, select the Firebox or FireCluster that you want to connect to AuthPoint. This list only shows locally-managed Fireboxes and FireClusters that you have added to WatchGuard Cloud.

Screenshot of the Firebox resource page.

  1. To configure the Firebox resource to accept MS-CHAPv2 authentication requests, click the Enable MS-CHAPv2 toggle.

    Additional text boxes appear.

    You do not have to enable MS-CHAPv2 if the IKEv2 VPN client is only used by local AuthPoint users.

Screenshot of the Firebox resource page.

  1. In the NPS RADIUS Server Trusted IP or FQDN text box, type the IP address or fully qualified domain name (FQDN) of the NPS RADIUS server.
  2. In the Port text box, type the port that NPS uses for communication. The default port is 1812.
  3. In the Timeout In Seconds text box, type a value in seconds. The timeout value is the amount of time before a push authentication expires.
  4. In the Shared Secret text box, type the shared secret key that NPS and the Firebox use to communicate.

Screenshot of the Firebox resource page.

  1. Click Save.

After you add the Firebox resource in AuthPoint, the AuthPoint authentication server on your Firebox is enabled. To add MFA, you must configure the Firebox to use the AuthPoint authentication server for the features you want:

  • Mobile VPN with SSL — In Fireware, configure AuthPoint as the primary authentication server for your Mobile VPN with SSL configuration. For detailed steps, see Firebox Mobile VPN with SSL Integration with AuthPoint.

    If you add the AuthPoint authentication server to your Mobile VPN with SSL configuration, users must download and use the WatchGuard Mobile VPN with SSL client v12.7 or higher or the OpenVPN SSL client.

  • Mobile VPN with IKEv2— In Fireware, configure AuthPoint as the primary authentication server for your Mobile VPN with IKEv2 configuration. For detailed steps, see Firebox Mobile VPN with IKEv2 Integration with AuthPoint.
  • Firebox Authentication Portal — In Fireware, specify AuthPoint as the authentication server for users and groups. For detailed steps, see Firebox Authentication Portal Integration with AuthPoint.
  • Fireware Web UI — In Fireware, select System > Users and Roles and add Device Management users with AuthPoint as the authentication server. For more information, see Manage Users and Roles on Your Firebox

RADIUS client resources represent a device or application that sends RADIUS packets to the AuthPoint Gateway. These are commonly used to authenticate users for firewalls and VPNs.

To configure MFA for a Firebox that runs Fireware v12.7 or higher and has been added to WatchGuard Cloud as a locally-managed Firebox, we recommend that you add a Firebox resource.

RADIUS client resources must be linked to the AuthPoint Gateway and you must choose a shared secret key so that the RADIUS server (AuthPoint Gateway) and the RADIUS client can communicate.

To add RADIUS client resources:

  1. From the navigation menu, select Resources.
  2. From the Choose a resource type drop-down list, select RADIUS Client. Click Add Resource.
  3. In the Name text box, type a descriptive name for the resource.
  4. In the RADIUS client trusted IP or FQDN text box, type the IP address that your RADIUS client uses to send RADIUS packets to the AuthPoint Gateway. This must be a private IP address. For Fireboxes, this is usually the Trusted IP address of your Firebox.
  5. From the Value sent for RADIUS attribute 11 drop-down list, specify what is sent for the attribute 11 (Filter-ID) value in RADIUS responses. You can choose to send the user's AuthPoint group or the user's Active Directory groups.

    To specify a Filter-ID value, you must install version 5 or higher of the AuthPoint Gateway.

  6. In the Shared Secret text box, type a password that the RADIUS server (AuthPoint Gateway) and the RADIUS client will use to communicate.
  7. To configure the RADIUS client resource to accept MS-CHAPv2 authentication requests, enable the Enable MS-CHAPv2 toggle. You might do this if you want to configure AuthPoint MFA for IKEv2.
    Additional fields appear.

    To enable MS-CHAPv2, you must install version 5.3.1 or higher of the AuthPoint Gateway.

  8. In the NPS RADIUS Server trusted IP or FQDN text box, type the IP address or FQDN of the NPS RADIUS server.
  9. In the Port text box, type the port number for the Gateway (RADIUS server) to use to communicate with NPS. The default port is 1812.

    If NPS and the Gateway are installed on the same server, the port that the Gateway uses to communicate with NPS must be different than the port that the Gateway uses to communicate with the RADIUS client.

  10. In the Timeout in Seconds text box, type a value in seconds. The timeout value is the amount of time before a push authentication expires.
  11. Click Save.

Next, you must add your RADIUS client resource to the configuration for your AuthPoint Gateway. This is necessary for the RADIUS client to communicate with the RADIUS server (Gateway) and with AuthPoint.

To connect your RADIUS client resource to the Gateway:

  1. From the navigation menu, select Gateway.
  2. Click the Name of your Gateway.
  3. In the RADIUS section, in the Port text box, type the port number for the RADIUS client to use to communicate with the Gateway (RADIUS server). The default Gateway ports are 1812 and 1645.

    If you already have a RADIUS server installed that uses port 1812 or 1645, you must use a different port for the AuthPoint Gateway.

  1. From the Select a RADIUS resource list, select your RADIUS client resource(s).

  1. Click Save.

You have successfully added a RADIUS client resource and connected it with your Gateway. The last step is to configure your RADIUS client for authentication. Refer to the AuthPoint Integration Guides for the steps to configure specific RADIUS client resources.

SAML resources connect AuthPoint with the provider of a third-party service that users connect to (third-party service provider), such as Microsoft or Salesforce. Add SAML resources and define access policies to require that users authenticate before they can connect to those services or applications.

Before you add a SAML resource in AuthPoint, you must configure SAML authentication for your third-party service provider. To do this, download the AuthPoint metadata from the Resources page in the AuthPoint management UI and import the metadata file to the third-party service provider.

The AuthPoint metadata provides information that is necessary to identify AuthPoint and establish a trusted relationship between the third-party service provider and the identity provider (AuthPoint).

To configure SAML authentication for your third-party service provider:

  1. Select Resources.
  2. Click Download Metadata.

  1. Import the AuthPoint metadata file to the third-party service provider and get the Service Provider Entity ID and Assertion Consumer Service values from the service provider. These values are necessary to configure the SAML resource in AuthPoint.

    Refer to the AuthPoint Integration Guides for the steps to configure specific SAML resources.

To add a SAML resource in the AuthPoint management UI:

  1. Select Resources.
  2. From the Choose a resource type drop-down list, select SAML. Click Add Resource.

  1. From the Application Type drop-down list, select the relevant application, or select Others if the application is not listed.
  2. In the Name text box, type a name for the resource. We recommend you use the name of the application.
  3. In the Service Provider Entity ID and Assertion Consumer Service text boxes, type the values from the provider of the third-party application.
  4. From the User ID drop-down list, select whether users log in with their email or AuthPoint user name.
  5. Some application types require additional information. If applicable, complete any additional fields required for the application.
  6. Click Save.

Do not install the Logon app on computers that run Windows 7 or lower or on servers that run Windows 2008 R2 or lower.

The Logon app enables you to require authentication when users log in to a computer or server. This includes protection for RDP and RD Gateway.

There are two parts to the Logon app:

  • The resource you configure in AuthPoint
  • The application you install on a computer or server

When you install the Logon app, authentication is required to log in. On the login screen, users must type their password and then select one of the allowed methods of authentication (push notification, one-time password, or QR code).

If your AuthPoint license expires or you delete your Logon app resource, users can log in to their computers with only their password.

To start, you must add a resource for the Logon app:

  1. Select Resources.
  2. From the Choose a resource type drop-down list, select Logon App. Click Add Resource.

  1. On the Logon App page, in the Name text box, type a name for this resource.
  2. In the Support Message text box, type a message to display on the logon screen.
  3. To allow specific users that do not have an AuthPoint user account to log in without MFA:
    1. Enable the Allow specific users to log in without MFA toggle.

    2. In the Add User Names text box, type the user name of each non-AuthPoint user that can log in without MFA.

      You can specify up to 50 non-AuthPoint users that can log in without MFA.

  4. Click Save.

You do not have to add additional Logon app resources for each computer that the Logon app is installed on, regardless of the OS. You only need multiple Logon app resources if you have multiple domains.

Now that you have added a Logon app resource, you must install the Logon app on any computers and servers that you want to require authentication for.

To install the Logon app:

  1. Select Downloads.
  2. In the Logon App section, next to your operating system, click Download Installer.
  3. Click Download Config to download the configuration file for the Logon app.

    You can use the same configuration file for every installation of the Logon app on the same domain, regardless of the OS.

  1. On your computer, move the downloaded configuration file to the same directory as the Logon app installer (.msi file).
  2. Run the Logon app installer and install the Logon app. You can also install the Logon app from a Windows command prompt or use an Active Directory GPO to install the Logon app remotely on multiple computers. For detailed steps, see Install the Logon App from a Windows Command Prompt and Use an Active Directory GPO to Install the Logon App.

The Identity Provider (IdP) portal resource is a portal page that shows users a list of SAML resources available to them. It makes it easier for users to access resources. Users log in to the IdP portal and see each resource they have access to.

When you add the IdP portal resource to an authentication policy, the SSO login page redirects users in the groups added to that authentication policy to the portal page.

To set up AuthPoint with an IdP portal:

  1. Select Resources.
  2. From the Choose a Resource Type drop-down list, select Idp Portal. Click Add Resource.
  3. In the Name text box, type a descriptive name for the resource.
  4. From the User ID drop-down list, select whether users type their email or user name to log in on the SSO page.
  5. In the Account Alias text box, type a unique value to append to the URL for your IdP portal.
  6. Click Save.

    You can add one IdP Portal resource to multiple authentication policies. There is no need to add additional IdP resources in AuthPoint.

After you add and configure resources in AuthPoint, you must create groups for your users. In AuthPoint, groups are how you define which resources your users have access to. You add users to groups in AuthPoint, then you add the groups to the authentication policies that specify which resources users can authenticate to.

You must add at least one group before you can add authentication policies or add users to AuthPoint.

To sync external groups from Active Directory or Azure Active Directory, you must add an external identity and create a group sync with the Create new synchronized groups option enabled. This is covered in Step 9 — Sync users from your LDAP database.

To add a group to AuthPoint, in the AuthPoint management UI:

  1. From the navigation menu, select Groups.
  2. Click Add Group.

Screenshot that shows the Groups page.

  1. In the New Group section, in the Name text box, type a descriptive name for the group.
  2. (Optional) In the Description text box, type a description of the group.

Screen shot of the New Group page.

  1. Click Save.
    Your group is listed on the Groups page.

Screen shot of Access Policy section of New Group page.

Policy objects are the individually configurable components of a policy, such as network locations. You configure policy objects and then add them to authentication policies.

You can configure these types of policy objects:

Network location policy objects enable you to configure a list of IP addresses. You can then configure specific authentication policies that only apply when users authenticate from these IP addresses. You might do this if you want to allow users to log in without MFA when they are in the office.

When you add a network location to an authentication policy, the policy only applies to user authentications that come from that network location. Users who only have a policy that includes a network location cannot get access to the resource when they authenticate outside of that network location (because they do not have a policy that applies, not because authentication is denied).

When you configure policies that include network locations, we recommend that you create a second policy for the same groups and resources without the network location to apply to users that are not in the network location. Make sure the policy with the network location has a higher priority than the policy without the network location.

Network locations require an Internet connection.

For RADIUS authentication and basic authentication (ECP), policies that include a network location will not be applied because AuthPoint cannot determine the IP address of the end user or the origin IP address.

To configure a network location policy object:

  1. From the AuthPoint navigation menu, select Policy Objects.
  2. From the Choose a Policy Object Type drop-down list, select Network Location. Click Add Policy Object.
    The Network Location page appears.

  1. In the Name text box, type a name to identify this network location policy object. This helps you identify the network location when you add it to authentication policies.
  2. In the IP Mask text box, type a public IP address or netmask that defines the range of public IP addresses you want to identify for this network location and press Enter or Return. You can specify multiple IP addresses and ranges in one network location.

    You cannot configure the IP address for a network location to 0.0.0.0 or 255.255.255.255.

  1. Click Save.

After you add all your resources and groups in AuthPoint, you must configure authentication policies. Authentication policies specify which resources AuthPoint users can authenticate to and which authentication methods they can use (Push, QR code, and OTP).

When you configure an authentication policy, you specify:

  • Whether the policy allows or denies authentications.
  • Which authentication methods are required.
  • Which resources the policy applies to.
  • Which user groups the policy applies to.
  • Which policy objects apply to the authentications.

A user who is not a member of a group that has an authentication policy for a specific resource cannot authenticate to log in to that resource.

When you configure policies, make sure you follow these requirements and recommendations:

  • You must configure at least one group before you can configure authentication policies.
  • For RADIUS authentication and basic authentication (ECP), policies that have a network location do not apply because AuthPoint does not have the IP address of the end user or the origin IP address.
  • Policies with network locations only apply to user authentications that come from that network location. Users who only have a policy that includes a network location cannot access the resource when they authenticate outside of that network location. This is because they do not have a policy that applies, not because authentication is denied.
  • If you configure policy objects, we recommend that you create a second policy for the same groups and resources without the policy objects. Assign a higher priority to the policy with the policy objects.
  • If you enable the push and OTP authentication methods for a policy, RADIUS resources associated with that policy use push notifications to authenticate users.
  • You must enable the push authentication method for policies with MS-CHAPv2 RADIUS resources.
  • RADIUS resources do not support QR code authentication.

To configure an authentication policy:

  1. Select Authentication Policies.
  2. Click Add Policy.

Screenshot of the Authentication Policies list.

  1. Type a name for the policy.
  2. From the Select the authentication options drop-down list, select an option to specify whether to require MFA or to deny authentications for this policy.
    • Authentication options — Require MFA when users in the groups associated with this policy authenticate to the resources associated with this policy.
    • Authentication not allowed — Deny authentications when users in the groups associated with this policy try to authenticate to the resources associated with this policy

Screenshot of selecting the authentication options on the Add Policy page.

  1. If you require MFA for this policy, select the check box for each authentication option users can select from when they authenticate. For more information about authentication methods, see About Authentication.

    If you enable the push and OTP authentication methods for a policy, RADIUS resources associated with the policy use push notifications to authenticate users.

    QR code authentication is not supported for RADIUS resources.

Screenshot of the Add Policy page with authentication options selected.

  1. For policies that include an Office 365 resource, if you require authentication for a device or resource that is part of your Office 365 domain but cannot use MFA, such as a printer, select the Basic Authentication check box. Basic authentication is also called Enhanced Client or Proxy (ECP).
  2. From the Groups drop-down list, select which groups this policy applies to. You can select more than one group. To configure this policy to apply to all groups, select All Groups.
  3. From the Resources drop-down list, select which resources this policy applies to. To configure this policy to apply to all resources, select All Resources.

Screenshot of the Add Policy page with the groups and resources selected.

  1. From the Policy Objects drop-down list, select which policy objects apply to this policy. For more information about policy objects, see About Policy Objects.

Screenshot of the Policy Objects selection on the Add Policy page.

  1. Click Save.
    Your policy is created and added to the end of the policy list.

    After you create a new policy, we recommend that you review the order of your policies. AuthPoint always adds new policies to the end of the policy list.

Screenshot of the Policy added to the Policies list.

To sync users from an LDAP database, you must create a query for the external identity that you added. The queries you add to an external identity specify which users to sync from your Active Directory or LDAP database. They pull user information from the database and create AuthPoint users for the users that match the query.

There are two ways to query users:

  • Group Sync — Select the LDAP groups you want to sync users from and AuthPoint creates the query for you.
  • Advanced Queries — Create your own LDAP queries to specify which groups or users to sync.

In this example, we show the steps to use the group sync feature.

Before you continue, make sure that each user account has a valid email address. If the email address for a user account is not correct, the user cannot receive the email message to set a password and activate a token.

If the selected LDAP groups have more users than you have available licenses for, the sync only creates as many users as your license supports.

LDAP users that do not have a user name or email address are not included in the synchronization.

To sync LDAP groups:

  1. Select External Identities.
  2. Next to your external identity, click and select Group Sync.

  1. On the Group Sync page, click Add New Group to Sync.

  1. In the Add Group Sync window, from the Select LDAP Groups to Sync Users From drop-down list, select the LDAP groups you want to sync users from. You can select multiple groups.

Screenshot that shows the settings in the Add LDAP Group Sync window.

  1. From the Select an AuthPoint Group to Add Users To drop-down list, select the AuthPoint group to add the users to.

    For each group sync, all users are added to the same AuthPoint group. To add users to separate AuthPoint groups, you must create a separate group sync for each LDAP group that contains users you want in a different AuthPoint group.

Screenshot that shows the settings in the Add LDAP Group Sync window.

  1. To create new groups in AuthPoint based on the Active Directory groups that you sync users from, enable the Create new synchronized groups toggle. If you enable this option, users sync to the new groups based on group membership in the LDAP database, in addition to the selected AuthPoint group.

    The Create new synchronized groups option is only available for Active Directory and Azure Active Directory.

    To see and use this option, you must install version 6.1 or higher of the AuthPoint Gateway.

Screenshot that shows the settings in the Add LDAP Group Sync window.

  1. Click Save.
    The Add Group Sync window closes.

After you add a query to find your users (manually or with group sync), AuthPoint syncs with your Active Directory or LDAP database at the next synchronization interval and creates an AuthPoint user account for each user identified by the query.

To start a sync immediately, on the External Identities page, next to the your external identity, click and select Start Synchronization.

The created user accounts appear on the Users page with a green Activated status icon next to the user name. The Activated status icon indicates that the user has been created and is currently active (not blocked). You can identify users synced from an external identity by the LDAP tag in the Type column in the list of users.

Screenshot that shows LDAP users on the Users page.

Each user receives an email that they use to activate their token in the AuthPoint mobile app. When a user activates their token, their token information is shown in the Token column with a green Activated status icon next to the token.

Users synced from an external identity use their existing password for authentication. They do not receive the email to set an AuthPoint password.

If you enabled the Create new synchronized groups toggle, the synced groups are created in AuthPoint. The newly created groups appear on the Groups page. You can identify synced groups from Active Directory by the LDAP tag in the Type column in the list of groups.

If you change the name of a synced group in Active Directory, the name of the synced group in AuthPoint updates automatically to match. You cannot edit the synced groups in AuthPoint.

If you delete the group in Active Directory, or if you delete the group sync, the synced group is not deleted in AuthPoint. You must manually delete the synced group in AuthPoint.

You have now added your resources to AuthPoint, defined authentication policies for those resources, and synced your users. Before your users can authenticate with AuthPoint, they must install the AuthPoint app on their mobile devices and activate their AuthPoint token.

A token is something that is used to identify you and associate you with a device, like a digital signature or fingerprint. It is used in addition to, or in place of, a password when users log in to a protected resource. Users activate a token on a device that they use for authentication, such as a mobile phone. This device is then used to gain access to protected resources that require multi-factor authentication.

For more information, see Activate a Token.

See Also

Quick Start — Set Up AuthPoint

About AuthPoint

About the AuthPoint Mobile App

Configure MFA

About Authentication

User Management

AuthPoint Integration Guides