Quick Start — Set Up AuthPoint

This quick start topic reviews the general steps to configure and test multi-factor authentication (MFA) with AuthPoint. This guide introduces AuthPoint, reviews the basic components of AuthPoint, and helps you get started so you can test MFA before you fully deploy AuthPoint.

If you already understand the basic setup of AuthPoint and are ready to deploy it in your network, you can start with the AuthPoint Deployment Guide.

If you have not already purchased an AuthPoint license, you can start a free AuthPoint trial in the Support Center. To start a trial, go to the Manage Products page and select WatchGuard AuthPoint. Click the Free 30 day trial link to activate your free trial. You can also contact your preferred WatchGuard Partner and have them set you up with an AuthPoint trial. For more information, see Activate an AuthPoint Trial License.

Before you begin, we recommend that you familiarize yourself with the components of AuthPoint and some of the key terms related to AuthPoint:

Connect to AuthPoint Management UI

The AuthPoint management UI is where you set up and manage your AuthPoint users, groups, resources, and authentication policies. You get access to the AuthPoint management UI in WatchGuard Cloud.

To connect to WatchGuard Cloud, go to cloud.watchguard.com. After you log in, select Configure > AuthPoint.

Service Providers have a different view of WatchGuard Cloud. If you have a Service Provider account, you must select an account from Account Manager to configure AuthPoint for that account.

Add a Resource to Protect with MFA

To configure MFA for an application, you must add a resource for the client in AuthPoint and configure the necessary settings for MFA in your third-party application.

In our example, we add an Identity Provider (IdP) portal resource. The IdP portal is a portal page that shows users a list of the SAML resources available to their AuthPoint group. Because the IdP portal is an AuthPoint resource, you can use it to test MFA with no third-party configuration required.

If you want to test MFA with a specific application, see the AuthPoint Integration Guides. If you do not see an integration guide for the application you want to try with AuthPoint, see Configure MFA for an Application or Service or Configure MFA for a RADIUS Client.

To add an IdP portal resource:

  1. From the navigation menu, select Resources.
    The Resources page appears.

  1. From the Choose a Resource Type drop-down list, select IDP Portal.

  1. Click Add Resource.
  2. In the Name text box, type a descriptive name for the resource. In our example, we name this resource Self Service Portal.
  3. In the Account Alias text box, type a unique value to append to the URL for your IdP portal. In our example, we use Washington. This means that the URL for our IdP portal is https://authpoint.watchguard.com/washington.

  1. Click Save.
    The IdP portal resource is listed on the Resources page.

Add a Group

In AuthPoint, groups are how you define which resources your users have access to. You add users to groups in AuthPoint, then you add the groups to the authentication policies that specify which resources users can authenticate to.

You must add at least one group before you can add or sync users or add authentication policies.

To add a new group:

  1. From the navigation menu, select Groups.
  2. Click Add Group.

  1. On the New Group page, type a Name and Description for your group. The description is optional, but we recommend that you specify the purpose of the group. In our example, the name of this group is Group A.

Screen shot of the New Group page.

  1. Click Save.
    Your group is listed on the Groups page.

Screen shot of the New Group page.

Screen shot of the New Group page.

Add an Authentication Policy

Authentication policies specify which resources users can authenticate to and which authentication methods they can use (Push, QR code, and OTP). When you configure an authentication policy, you specify these settings:

  • Whether authentications are allowed or denied
  • Which authentication methods are required
  • Which resources the policy applies to
  • Which groups the policy applies to
  • Which policy objects apply to the authentications

To add a new authentication policy:

  1. Select Authentication Policies.
  2. Click Add Policy.

Screenshot of the Authentication Policies list.

  1. Type a name for this authentication policy.
  2. From the Select the authentication options drop-down list, leave the default Authentication options value selected.

Screenshot of selecting the authentication options on the Add Policy page.

  1. Next to the authentication options drop-down list, select the Password, Push, QR Code, and One-Time Password check boxes. These are the authentication methods that users can choose from when they log in to this resource. The Password check box requires that users type their password before they authenticate for this resource. For more information about authentication methods, see About Authentication.

    Do not select the Extra authentication options. These options only apply to authentication polices with an Office 365 SAML resource.

Screenshot of the Add Policy page with authentication options selected.

  1. From the Groups list, select the AuthPoint group that you created. This specifies which groups this authentication policy applies to. In our example, we select Group A.
  2. From the Resources list, select the IdP portal resource that you created. This determines which resources users can authenticate to. In our example, we select the Self Sevice Portal resource that we created previously.

Screenshot of the Add Policy page with the groups and resources selected.

  1. Skip the Policy Objects list.
  2. Click Save.
    Your policy is created and added to the end of the policy list.

Screenshot of the Save button on the Add Policy page.

Screenshot of an example policy in the Authentication Policies list.

Add a User

There are two ways to add users in AuthPoint: you can sync users from an Active Directory or a Lightweight Directory Access Protocol (LDAP) database, or you can add local AuthPoint users.

In this quick start topic, we provide the steps to add a local test user. We recommend that you start with a test user before you add or sync all of your end users.

To learn how to sync an Active Directory or LDAP user, see Sync Users from Active Directory or LDAP.

To add a user:

  1. Select Users.
  2. Click Add User.

Screenshot of the Users page.

  1. In the First Name and Last Name text boxes, type the name of a test user. In our example, we use Jane Smith.
  2. In the User Name text box, type a unique user name for your user.

Screenshot of the New User page.

  1. In the Email text box, type an email address for the test user. To test AuthPoint, you can use your own email address, but, if you later sync to an authentication database that you are a part of, you must remember to first delete this test user.

    You must specify a valid email address that you have access to. This email address receives the email message to set your password and activate your token.

  2. From the Groups list, select the AuthPoint group(s) to add your user to. The group determines which authentication policies apply to this user. In our example, we add Jane Smith to Group A, which we created previously.

Screenshot of the Save button on the New User page.

  1. Click Save.
    The user appears with a green icon next to their user name.

Screenshot of the Users list with a user added.

The user receives two email messages. One is used to set their AuthPoint password and the other to activate a token in the AuthPoint mobile app. To resend the Set Password or Activation email messages, see Resend Activation Email and Resend the Set Password Email to a User.

Set Password and Activate Token

When you add a user, AuthPoint sends two email messages to the user that they use to set their AuthPoint password and activate a token in the AuthPoint mobile app.

Users synced from Active Directory or an LDAP database do not receive the Set Password email. They use the password defined for their user account in Active Directory as their AuthPoint password.

Open the Set Password email sent to the test email account. Click the link in the email to set your password. When prompted, type your password, then click Save.

Now your AuthPoint password is set. You use this password when you authenticate to log in to protected services and applications.

Next you must activate your token.

Open the Activation email and click the link in the email. This takes you to the Welcome to AuthPoint web page. If you have not done so, download and install the AuthPoint mobile app on your phone.

  • If you opened the web page on your phone, tap the Activate button. This opens the AuthPoint app and activates your token.
  • If you opened the web page on your computer, open the AuthPoint app on your phone and tap Activate in the app, then point the camera on your phone at the QR code on your computer screen.

After a user successfully activates a token, you can see the token on the Users page.

Try MFA

At this point, you have configured MFA for one or more of your resources. Now you can test that MFA works.

To test MFA:

  1. In a web browser, navigate to the login URL for your IdP portal. This URL should be https://authpoint.watchguard.com/<your account alias>. In our example, we navigate to https://authpoint.watchguard.com/washington.
    The AuthPoint single sign-on page appears.

    If you don't know the URL of your IdP portal, on the Resources page, select your IdP portal resource to find the URL for that resource.

  2. Type your email address or AuthPoint user name. Click Next.
  3. In the Password text box, type your AuthPoint password. You must do this before you can select an authentication method. This is because we selected the Password check box when we configured the authentication policy for this resource.
  4. Click Send Push to test Push authentication.
  5. Approve the authentication request that you receive on your mobile device.
    You are logged in to the IdP portal.

After you log in to the IdP portal, you see a blank page with no applications listed. This is because you have not configured any SAML resources. After you add SAML resources, the IdP portal shows a list of all the SAML resources available to your AuthPoint group.

See Also

AuthPoint Integration Guides

AuthPoint Deployment Guide

Configure MFA

About Authentication

About the AuthPoint Mobile App