This quick start topic reviews the general steps to configure and test multi-factor authentication (MFA) with AuthPoint. This guide introduces AuthPoint, reviews the basic components of AuthPoint, and helps you get started so you can test MFA before you fully deploy AuthPoint.
If you already understand the basic setup of AuthPoint and are ready to deploy it in your network, you may choose to start with the AuthPoint Deployment Guide.
If you have not already purchased an AuthPoint license, you can start a free AuthPoint trial in the Support Center. To start a trial, go to the Manage Products page and select WatchGuard AuthPoint. Click the Free 30 day trial link to activate your free trial. You can also contact your preferred WatchGuard Partner and have them set you up with an AuthPoint trial. For more information, see Activate an AuthPoint Trial License.
Before you begin, we recommend that you familiarize yourself with the components of AuthPoint and some of the key terms related to AuthPoint:
AuthPoint has several components:
- AuthPoint Management UI — The AuthPoint management UI in WatchGuard Cloud is where you set up and manage your users, groups, resources, external identities, and the AuthPoint Gateway.
- AuthPoint Mobile App — The AuthPoint mobile app is required for authentication. You can view and manage tokens, approve push notifications, get OTPs, and scan QR codes.
- AuthPoint Gateway — The AuthPoint Gateway is a lightweight software application that you install on your network so that AuthPoint can communicate with your RADIUS clients and LDAP databases. The Gateway operates as a RADIUS server and is required for RADIUS authentication and for LDAP users to authenticate with SAML resources.
- Logon App — The Logon app is used to require authentication when users log on to a computer or server. There are two parts to the Logon app: the application you install on a computer or server and the resource you configure in AuthPoint.
- ADFS Agent — With the AuthPoint ADFS agent, you can add multi-factor authentication (MFA) to Active Directory Federation Services (ADFS) for additional security.
- RD Web Agent — With the AuthPoint RD Web agent, you can add MFA to Remote Desktop Web Access.
- Groups — A set of users and the access policies that define the resources those users get access to.
- Access Policies — Access policies are added to groups to specify which resources users in that group can authenticate to and which authentication methods they can use (Push, QR code, and OTP).
- Push Notification — A push notification is a notification sent to your mobile device when you try to log in to a resource. You must approve the push notification to log in or deny it to prevent an access attempt that was not made by you.
- QR Code — When you authenticate with a QR code, you scan the QR code on the screen with the AuthPoint mobile app and use the verification code you receive to authenticate and log in.
- One-Time Password (OTP) — An OTP is a unique, temporary password available in the AuthPoint mobile app. To log in to a resource with OTP, you must type the OTP shown in your AuthPoint mobile app when you authenticate.
- Resources — Resources are the applications and services that your users connect to. In AuthPoint there are six types of resources:
- RADIUS client — An application or service that uses RADIUS authentication (primarily firewalls and VPNs).
- SAML — An application or service that uses Security Assertion Markup Language (SAML) authentication, such as Office 365, Salesforce, or the Firebox Access Portal.
- IdP portal — A portal page that shows users the SAML resources available to them.
- Logon app — The Logon app resource is used to configure and define access policies for the Logon app.
- ADFS — The ADFS resource is used to add MFA to ADFS authentication.
- RD Web — The RD Web resource is used to add MFA to Remote Desktop Web Access.
- External Identities — The information required to connect to your Active Directory or LDAP databases to get user account information and validate passwords.
Connect to AuthPoint Management UI
The AuthPoint management UI is where you set up and manage your AuthPoint users, groups, and resources. You get access to the AuthPoint management UI in WatchGuard Cloud.
To connect to WatchGuard Cloud, go to cloud.watchguard.com. Once you have logged in, select Configure > AuthPoint.
Service Providers have a different view of WatchGuard Cloud. If you have a Service Provider account, you must click Pivot to Subscriber View on the dashboard to switch to your Subscriber account before you can configure AuthPoint.
Add a Resource to Protect with MFA
To configure MFA for an application, you must add a resource for the client in AuthPoint and configure the necessary settings for MFA in your third-party application.
In our example, we add an Identity Provider (IdP) portal resource. The IdP portal is a portal page that shows users a list of the SAML resources available to their AuthPoint group. Because the IdP portal is an AuthPoint resource, you can use it to test MFA with no third-party configuration required.
If you want to test MFA with a specific application, see the AuthPoint Integration Guides. If you do not see an integration guide for the application you want to try with AuthPoint, see SAML Resources or Configure MFA for a RADIUS Client.
To add an IdP portal resource:
- From the navigation menu, select Resources.
The Resources page appears.
- From the Choose a Resource Type drop-down list, select Idp Portal.
- Click Add Resource.
- In the Name text box, type a descriptive name for the resource. In our example, we name this resource Self Service Portal.
- In the Account Alias text box, type a unique value that will be appended to the URL for your IdP portal. In our example, we use Washington. This means that the URL for our IdP portal is https://authpoint.watchguard.com/washington.
- Click Save.
The IdP portal resource is listed on the Resources page.
Add a Group
In AuthPoint, groups are how you define which resources your users have access to. You must add at least one group before you can add or sync users.
To add a new group:
- From the navigation menu, select Groups.
- Click Add Group.
- On the New Group page, type a Name and Description for your group. The description is optional, but we recommend that you specify the purpose of the group. For our example, the name of this group is Group A.
- In the Access Policy section, click Add Policy.
The Add Policy dialog box appears.
- From the Resource drop-down list, select the IdP portal resource you added. In our example, we select Self Service Portal.
- To require that users type their password before they authenticate for this resource, select the Require Password Authentication slider.
- For Authentication Options Allowed, select the One-Time Password, Push, and QR Code check boxes. These are the authentication methods that users can choose from when they log in to this resource. For more information about authentication methods, see About Authentication.
- Click Add.
The access policy for the IdP portal is listed on the Groups page.
- Click Save.
Your group is listed on the Groups page.
Add a User
Now that you have a group, you can add a user. There are two ways to add users in AuthPoint: you can sync users from an Active Directory or a Lightweight Directory Access Protocol (LDAP) database, or you can add users manually.
In this quick start topic, we provide the steps to add a test user manually. It is always a good idea to start with a test user before you add or sync add or sync all of your end users.
To learn how to sync an Active Directory or LDAP user, see Sync Users from Active Directory or LDAP.
- Select Users.
- Click Add User.
- In the First Name and Last Name text boxes, type the name of a test user. In our example, we use Jane Smith.
- In the User Name text box, type a unique user name for your user.
In the Email text box, type an email address for the test user. To test AuthPoint, you can use your own email address, but, if you later sync to an authentication database that you are a part of, you must remember to first delete this test user.
This should be a valid email address that you have access to. This email address receives the email message to set your password and activate your token.
From the Group drop-down list, select an AuthPoint group to add your user to. The group is what determines which resources the user has access to. In our example, we add Jane Smith to Group A, which we created in the previous section.
Because groups specify how users authenticate, you must add each user to a group. You cannot add a user to more than one group. This prevents potential conflicts between the access policies of each group.
- Click Save.
The user appears with a green icon next to their user name.
The user receives two email messages. One is used to set their AuthPoint password and the other to activate a token in the AuthPoint mobile app. To resend the Set Password or Activation email messages, see Resend Activation Email and Resend the Set Password Email to a User.
Set Password and Activate Token
When you add a user, AuthPoint sends two email messages to the user that they use to set their AuthPoint password and activate a token in the AuthPoint mobile app.
Users synced from Active Directory or an LDAP database do not receive the Set Password email. They use the password defined for their user account as their AuthPoint password.
Open the Set Password email sent to the test account and click the link in the email to set your password. When prompted, type your password, then click Save.
Now your AuthPoint password is set. You use this password when you authenticate to log in to protected services and applications.
Next you must activate your token.
Open the Activation email and click the link in the email. This takes you to the Welcome to AuthPoint web page. If you have not done so, download and install the AuthPoint mobile app on your phone.
- If you opened the web page on your phone, tap the Activate button. This opens the AuthPoint app and activates your token.
- If you opened the web page on your computer, open the AuthPoint app on your phone and tap Activate in the app, then point the camera on your phone at the QR code on your computer screen.
When a user has successfully activate a token, you can see the token on the Users page.
At this point, you have configured MFA for one or more of your resources. Now we can test that MFA works.
In a web browser, navigate to the login URL for your IdP portal. This URL should be https://authpoint.watchguard.com/<your account alias>. In our example, we navigate to https://authpoint.watchguard.com/washington.
The AuthPoint single sign-on page appears.
On the Resources page, click the Name of your IdP portal resource to find the URL for that resource.
- Type your email address or AuthPoint user name. Click Next.
- In the Password text box, type your AuthPoint password. You must do this before you can select an authentication method. This is because we selected the Require Password Authentication slider when we configured the access policy for this resource.
- Click Send Push to test Push authentication.
- Approve the authentication request that is sent to your mobile device.
You are logged in to the IdP portal.
When you log in to the IdP portal, you see a blank page with no applications listed. This is because you have not configured any SAML resources. After you add SAML resources, the IdP portal shows a list of all the SAML resources available to your AuthPoint group.