Book Demo!

˂ Return to FAQ

New Xton Documentation Center
Xton help has moved. Please visit the current version of this page for the most recent updates. Our new documentation center can be found at

Configuration for XTAM and WatchGuard AuthPoint MFA Integration

XTAM supports integration with SAML providers like WatchGuard AuthPoint to allow their unique multi-factor authentication (MFA) solution to handle the second authentication method, enabling even greater security for your XTAM deployment.

The following guide describes how to configure your XTAM and WatchGuard AuthPoint integration.


Before you begin your integration, be sure you met the following pre-requisities:

  • A working XTAM deployment with the Federated Sign-In experience.
  • Access to your existing XTAM host server. You will need to update a configuration file, certificates and restart services.
  • Access to your WatchGuard portal to configure your AuthPoint authentication services.
  • If Users are created and managed in WatchGuard, then a matching user must also be created as an XTAM Local User.
  • If Users are synced from Active Directory to WatchGuard, then you must also integrate XTAM with the same Active Directory.


Step 1: Begin the AuthPoint Configuration


Login to your WatchGuard portal. This guide is built using the WatchGuard Cloud portal as available in October 2019.


Navigate to Configure > AuthPoint.

XTAM AuthPoint - Configure AuthPoint Option


From the AuthPoint page, select the Resources option from the left navigation. From the Resources page, click the CERTIFICATE button to generate a certificate.

XTAM AuthPoint - Generate AuthPoint Certificate


When the certificate appears, click the menu on the right (three dots) and use both the Download Certificate and Download Metadata files. Save both files to a safe location as they will be needed in a future step.

XTAM AuthPoint - Download AuthPoint Certificate


From the same menu (three dots), open the Copy Metadata URL option and save this URL. We will need this full URL in a future step.


Step 2: Perform the XTAM Configuration


Login to your XTAM host server.


Move or copy both the downloaded Certificate and Metadata files from step 1.4 to the $XTAM_HOME\content\keys directory.


Import the AuthPoint certificate to the XTAM keystore using the following procedure:


Open a prompt and navigate to the $XTAM_HOME directory. You may need sudo or elevated permissions.


Execute the following command:

For Windows, confirm the name of the .cer file and its location to be imported and used by XTAM.

bin\PamKeytool.cmd -import -alias xtauthpoint -file content\keys\wg-authpoint-saml-certificate-202910-base64.cer -keystore jre\lib\security\cacerts

For Unix or Linux, confirm the name of the .cer file and its location to be imported and used by XTAM.

bin/ -import -alias xtauthpoint -file content/keys/wg-authpoint-saml-certificate-202910-base64.cer -keystore jre/libsecurity/cacerts

After the command is issued, you will be prompted for the keystore password. Enter the value changeit and press the Enter key to continue.


When prompted Trust this certificate? enter y and press the Enter key. You will receive the message Certificate was added to keystore when it has imported successfully.


Open the file $XTAM_HOME/web/conf/ in a text editor and add the following new section. Confirm that the values for each parameter is accurate to your XTAM deployment, particularly those in red.

# AutoPoint SSO SAML
cas.authn.pac4j.saml[0].serviceProviderMetadataPath=C:/xtam/content/keys/{metadata.xml from step 1.4}
cas.authn.pac4j.saml[0].identityProviderMetadataPath={metadata URL from step 1.5}

When complete, save and close your file.


Restart the PamManagement (Windows) or pammanager (Linux) service. After the service fully restarts, it could take 3-5 minutes to fully restart, the keystore file should appear in $XTAM_HOME/content/keys/samlKeystoreAuthpoint.jks or the location you defined in the catalina file.


Next, we will export the SAML certificate from XTAM using the following procedure.


Open or reuse your existing prompt and navigate to the $XTAM_HOME directory. You may need sudo or elevated permissions.


Execute the following command:

For Windows

bin\PamKeytool.cmd -keystore content\keys\samlKeystoreAdfs.jks -export -alias saml2clientconfiguration -file content\keys\adfsxtam.cer

For Unix or Linux

bin/ -keystore content/keys/samlKeystoreAdfs.jks -export -alias saml2clientconfiguration -file content/keys/adfsxtam.cer

Now we need to convert your exported certificate file to base-64 encoding. Use whatever method you are most comfortable with. In Windows, we believe the easiest method is the following:


Double click on your certificate file and click Open if you receive a security prompt.


From the Certificate dialog, switch to the Details tab and click the Copy to File… button.

XTAM AuthPoint - Certificate Details


On the Certificate Export Wizard screen, select the format Base-64 encoded X.509 (.CER) option.

XTAM AuthPoint - Certificate Export to Base-64 Encoding


Save this converted certificate file to $XTAM_HOME/content/keys.


Step 3: Complete the AuthPoint Configuration


Return to your WatchGuard portal.


From AuthPoint’s Resources page, expand the Choose a resource type dropdown menu, select the option SAML and finally click Add Resource.

XTAM AuthPoint - Add New SAML Resource


Enter values for all necessary fields that match those that were entered into the file from the previous step.

XTAM AuthPoint - SAML Resource Configuration

  • Name: Enter a meaningful name
  • Application Type: Others
  • Service Provider Entity ID: {managed_path value from step 2.4}
  • Assertion Consumer Service: {managed_path value from step 2.4}/cas/login?client_name=AuthPoint
  • User ID sent on redirection to service provider: Email
  • Logout URL: empty
  • Signature Method: SHA-256

For the Certificate, click the CHOOSE FILE button and select your converted base-64 encoded certificate file from the previous step.


Click the slider so that Encryption enabled is turned on.


Click the SAVE button to complete the resource creation.


Next, navigate to the AuthPoint’s Groups page and click the Add Group button.

XTAM AuthPoint - Add Group


Enter a meaningful Name (required) for this new Group and a description (optional).


Now for this Group, click the Add Policy button, select the Resource we created in the previous step from the dropdown and finally configure your security policies as desired. Click ADD to complete the creation of your policy.

XTAM AuthPoint - Add Group Access Policy


Next, navigate to the AuthPoint’s Users page and click the Add User button.

XTAM AuthPoint - Add New User


Fill out all required fields as needed for this new User. For the Group parameter, select the Group that was created in the previous step. Click the SAVE button to create this new user.

XTAM AuthPoint - New User Configuration


Finally, you can open your XTAM login page, click the red button named AuthPoint and test the login process with the User that was created in the previous step. Remember that an identical User account must also be created on XTAM’s Local Users page.


Copyright © 2020 Xton Technologies, LLC. All rights reserved.