WatchGuard FireCloud Integration with Microsoft Entra ID

This document describes how to set up multi-factor authentication (MFA) for FireCloud with Microsoft Entra ID as an identity provider.

Contents

WatchGuard FireCloud Authentication Data Flow with Microsoft Entra ID

Microsoft Entra ID communicates with various cloud-based services and service providers with the SAML protocol. This diagram shows the data flow of an MFA transaction for WatchGuard FireCloud.

The screenshot of workflow topology

Before You Begin

Before you begin these procedures, make sure that:

  • You have a Microsoft global administrator account within the Microsoft Entra ID tenant
  • You have created a user in Microsoft Entra ID or synchronized an on-premises Active Directory user to Microsoft Entra ID
  • A token is assigned to a user in Microsoft Entra ID
  • You have a WatchGuard Cloud account

Additional charges might apply to use Microsoft Entra ID.

Configure Microsoft Entra ID

To configure Microsoft Entra ID:

  1. Log in to the Microsoft Azure portal with your Microsoft global administrator account credentials.
  2. Search for and select Microsoft Entra ID.
  3. To add a Microsoft Entra ID user, select Manage > Users > All users > + New user.
  4. Select Create new user.
    The Create new user page opens and populates your user information.

Screenshot of Microsoft Entra ID, create new user

  1. Click Create.
  2. On the Microsoft Entra ID page, select Manage > Enterprise applications.
  3. Select Manage > All applications > + New application.
  4. Click Create your own application.
    The Create Your Own Application page opens.
  5. In the What's the name of your app? text box, type a name. In our example, we name the application WatchGuard-FireCloud.
  6. Select Integrate any other application you don't find in the gallery (Non-gallery).

Screenshot of Microsoft Entra ID, create your aplication

  1. Click Create.
  2. Select Manage > Single sign-on.
    The Single sign-on page opens.

Screenshot of Microsoft Entra ID, select SSO

  1. From the Select a single sign-on method section, select SAML.
    The SAML-based Sign-on page opens.
  2. In the Basic SAML Configuration section, click Edit.
  3. For Identifier (Entity ID), click Add identifier.
  4. In the Enter an identifier text box, type any value. In our example, we type WatchGuardFireCloud. Note this value. This value must match the SAML Service Provider Entity ID you specify when you configure FireCloud.
  5. For Reply URL (Assertion Consumer Service URL), click Add reply URL.
  6. In the Enter a reply URL text box, type https://authsvc.firecloud.your WatchGuard Cloud region.cloud.watchguard.com/v1/acs/.

    To find your account region, log in to WatchGuard Cloud and go to Administration > My Account. Your region is listed under the Data Zone heading. To get the region code, refer to WatchGuard Cloud URLs and Network Access Requirements.

  7. Click Save.
  8. To close the Basic SAML Configuration page, click The screenshot of close icon.
    The Test single sign-on dialog box opens.
  9. Click No, I'll test later.
    The Set up Single Sign-on with SAML page opens.

Screenshot of Microsoft Entra ID, edit basic SAML configuration

  1. In the Attributes & Claims section, click Edit.
  2. Click + Add a group claim.
  3. For Which groups associated with the user should be returned in the claim?, select Groups assigned to the application.
  4. From the Source attribute drop-down list, select one of these options:
    • If only Entra ID cloud security groups are assigned to the SAML application, select Cloud-Only Group Display Names.
    • If only on-premises AD security groups are assigned to the SAML application, select sAMAccountName and leave Emit Group Name for Cloud-Only Groups blank.
    • If both on-premises Active Directory security groups and the Entra ID cloud security group are assigned to the SAML application, select sAMAccountName and leave Emit Group Name for Cloud-Only Groups blank. Select this option if you use AD connect or your on-premises AD is connected to your Microsoft Entra ID account.
  5. Expand the Advanced Options section, then select Customize the Name of the Group Claim.

  6. In the Name (required) text box, type groups.

Screenshot of Microsoft Entra ID, add a group claim

  1. Click Save.
  2. Go back to the SAML-based Sign-on page, and in the SAML Certificates section, next to Certificate (Base64), click Download to get your IDP certificate. You need this file when you configure FireCloud.
  3. Next to Federation Metadata XML, click Download.
  4. Open the downloaded Microsoft Entra ID metadata file, and copy the entityID and SingleSignOnService Location values. You need this information when you configure FireCloud.

Screenshot of Microsoft Entra ID, SAML based sign on page.

  1. From the navigation menu, select Manage > Users and groups.
    The Users and groups page opens.
  2. Click + Add user/group.
  3. Click None Selected, then select the user you created.
  4. Click Select.
  5. Click Assign.

Screenshot of Microsoft Entra ID, users and groups page

  1. To enable the Microsoft Entra ID multi-factor authentication, from the navigation menu, select Security > Conditional Access.
  2. Select + New policy.
    The New Conditional Access policy page opens.
  3. In the Name text box, type a policy name.
  4. In the Assignments section, for Users, click 0 users and groups selected.
  5. Select the Include tab, and select Select users and groups.
  6. Select the Users and groups check box.
  7. Search for and select the users or groups, then click Select.

Screenshot of Microsoft Entra ID, add conditional access policy

  1. Under the Access controls section, for Grant, click 0 controls selected.
    The options panel to block or grant access opens.
  2. Select Grant access.
  3. Select the Require multifactor authentication check box.
  4. In the For multiple controls section, select Require all the selected controls.
  5. Click Select.
  6. For Enable Policy, select On.
  7. Keep the default values for other settings.
  8. Click Create.

Configure FireCloud

To set up FireCloud with Entra ID as your identity provider:

  1. Log in to WatchGuard Cloud with your WatchGuard operator account credentials.
  2. From the navigation menu, select Configure > FireCloud. If you have a Service Provider account, you must select an account from the Account Manager.
  3. Click Set Up FireCloud.
  4. Select Connect to Your Identity Provider.
  5. Click Next.
  6. Select SAML Identity Provider.
  7. In the SAML Service Provider Entity ID text box, type the identifier that you configured in Entra ID. This must be the same value that you configured in the previous section. In our example, we type WatchGuardFireCloud.
  8. In the Identity Provider ID text box, type or paste the entityID value you copied from the Microsoft Entra ID metadata file in the previous section.
  9. In the Single Sign-On URL text box, type or paste the SingleSignOnService Location value you copied from the Microsoft Entra ID metadata file in the previous section.
  10. In the IDP Certificate text box, click Screenshot of upload icon and upload the downloaded Microsoft Entra ID certificate in the previous section.

Screenshot of WGC, configure SAML Identity provider

  1. Click Save.
  2. Click Done.
  3. Select Client Download > Download Installer.

Screenshot of WGC, client download

  1. Run the WatchGuard Agent installer on your Windows computer.
  2. Click Install. The installation of the WatchGuard Agent can take several minutes.
  3. When the installation is complete, click Finish.
  4. After the WatchGuard Agent is installed, the agent automatically downloads and installs the Connection Manager. When this is finished, the Connection Manager opens and you are prompted to enter your credentials to connect to FireCloud.

    Caution: You cannot install the WatchGuard Connection Manager on computers that have Panda endpoint security products installed. The WatchGuard Connection Manager is only compatible with WatchGuard Endpoint Security products.

Test the Integration

To test Microsoft Entra MFA with your WatchGuard FireCloud, you can choose any method (Microsoft Authenticator number matching, Microsoft Authenticator code, SMS code, or Phone call).

Microsoft Authenticator number matching is enabled for all authenticator push notifications. In this example, we show the Microsoft Authenticator number matching method.

  1. Open the WatchGuard Connection Manager.
  2. In the Sign in text box, type your user principal name.
  3. Click Next.
  4. In the Enter password text box, type your password.
  5. Click Sign in.
    The Approve sign in request page opens.
  6. To complete the approval, enter the number you see in your authenticator app.
  7. Click Yes on your authentication app.
  8. Click Yes.
    You are connected to FireCloud.