Applies To: AuthPoint Multi-Factor Authentication, AuthPoint Total Identity Security
This page describes how Service Providers can send user inheritance requests. If your account is managed by a Service Provider, go to User Inheritance for Managed Accounts.
User inheritance enables Service Providers to request that managed accounts inherit an AuthPoint user from the Service Provider account. If the managed account approves the request, the specified Service Provider users are added to the managed account and can authenticate to resources for that account. This makes it easier for Service Providers to help manage accounts for their customers. You might do this if you manage AuthPoint services for a customer, or if you need access to troubleshoot protected resources for an account you manage.
You cannot send user inheritance requests to a delegated account.
You can request that managed accounts inherit these types of user accounts:
- Local AuthPoint users
- LDAP and Activate Directory users
- Azure Active Directory users
Managed accounts do not have to configure an external identity or a Gateway to inherit users synced from an external user database. Inherited users that sync from an external user database can only authenticate to Firebox resources if the Firebox can connect to the LDAP database of the Service Provider. This is because the authentication flow for Firebox resources is different than the authentication flow for RADIUS resources. For Firebox resources, the Firebox sends LDAP user credentials to the Active Directory server to validate the password. For RADIUS resources, AuthPoint contacts the Active Directory server through the Gateway to validate the password. RADIUS resources (and Fireboxes configured as RADIUS resources) do not need to be able to connect to the LDAP database of the Service Provider.
For more information, refer to the Authentication Workflow sections in the Configure MFA for a RADIUS Client and Configure MFA for a Firebox help topics.
Inherited users must have an Internet connection to authenticate to computers with the Logon app installed.
Inherited users do not use an AuthPoint user license in the managed account.
User Inheritance Process Overview
Here is an overview of the user inheritance process:
- A Service Provider sends a user inheritance request to one or more managed accounts.
- An operator from the managed account approves the user inheritance request. The operator must select which AuthPoint groups to add the inherited user to.
- AuthPoint adds the inherited user to the managed account. The inherited user can authenticate to the resources of the managed account based on the authentication policies for their user group(s).
- An operator from either the Service Provider account or the managed account can end the user inheritance at any time.
Requirements
When you configure user inheritance, be aware of these rules:
- Service Providers cannot send user inheritance requests to a delegated account.
- Service Providers cannot add an inherited user to an account that already has a user account with the same user name or email address.
- Service Providers can only send a user inheritance request to managed accounts with an active AuthPoint license.
- Service Providers must allocate at least one AuthPoint user to their own subscriber account. If your subscriber account does not have an AuthPoint user, you might not see your managed accounts in the list of accounts that you can send the user inheritance request to.
- If a managed account adds a new user with the same user name or email address as an inherited user, AuthPoint deletes the inherited user.
- For inherited LDAP users, AuthPoint sends the LDAP user credentials to the external user database of the Service Provider for validation. If the managed account uses the agent for Windows, RD Web, or ADFS, AuthPoint only validates the second factor.
- Inherited LDAP users can only authenticate to RADIUS and Firebox resources if the Gateway or Firebox can connect to the LDAP database of the Service Provider
- If you delete an inherited user in your Service Provider account, AuthPoint removes the inherited user from all managed accounts that inherit that user.
- If you block an inherited user or their tokens in the Service Provider account, AuthPoint also blocks the user or token in all managed accounts that inherit the user.
- Operators from the managed account cannot block an inherited user or the tokens of an inherited user.
Send a User Inheritance Request
If you have a Service Provider account and you want one or more of your managed accounts to inherit one of your AuthPoint users, you can send a user inheritance request to the managed accounts. Each account that accepts the user inheritance request will inherit the AuthPoint user account.
You must send a separate user inheritance request for each user that you want a managed account to inherit.
You see and manage user inheritance requests from the AuthPoint management UI.
To send a user inheritance request:
- Log in to WatchGuard Cloud.
- Select your Subscriber account from Account Manager.
- From the navigation menu, select Configure > AuthPoint.
The AuthPoint Summary page opens. - Select User Inheritance.
The User Inheritance Requests page opens.
- Click Send User Inheritance Request.
- From the Users to Inherit drop-down list, select the AuthPoint user account you want your managed account(s) to inherit. To search for a specific user, type a name or user name.
Additional fields appear.
- From the list of accounts, select the managed accounts that you want to inherit this user. If you select more than one account, after you send the request, you must manage the user inheritance for each account separately.
- Click Send Request.
AuthPoint sends a user inheritance request to each of the selected accounts. An operator from the managed account chooses whether to accept or reject the request. If the operator accepts the user inheritance request, they must choose which AuthPoint groups to add the inherited user to. The groups that the inherited user belongs to determine which authentication policies apply to the user and which resources of the managed account the inherited user can authenticate to.
Inherited users use their existing tokens for authentication.
AuthPoint sends you a notification when a managed account accepts or rejects the user inheritance request. You can also see the status of your user inheritance requests in the User Inheritance Requests list.
- Pending — The managed account has not responded to the user inheritance request.
- Rejected —The user inheritance request has been rejected and the user has not been inherited by the managed account.
- Accepted — The user inheritance request has been approved and the inherited has been added to the managed account.
Managed accounts can also choose to delete a pending user inheritance request. User inheritance requests and inherited users that are deleted do not appear in the User Inheritance Requests list.
End User Inheritance
To end user inheritance and remove the inherited user from a managed account:
- From the AuthPoint management UI, select User Inheritance.
The User Inheritance Requests page opens.
- From the User Inheritance Requests list, next to the user that you want to end user inheritance for, click
and select Delete. If the user multiple managed accounts inherit the user, the list includes a separate item for each account. Make sure that you delete the user inheritance for the correct managed account.
The Remove Inherited User window opens. - To confirm that you want to delete the user inheritance, click Yes.
AuthPoint removes the inherited user from the managed account. AuthPoint sends a notification to the managed account to let them know that the inherited user has been removed from their account.