Book Demo!

˂ Return to FAQ

Configuration for XTAM and WatchGuard AuthPoint MFA Integration

XTAM supports integration with SAML providers like WatchGuard AuthPoint to allow their unique multi-factor authentication (MFA) solution to handle the second authentication method, enabling even greater security for your XTAM deployment.

The following guide describes how to configure your XTAM and WatchGuard AuthPoint integration.
 

Requirements

Before you begin your integration, be sure you met the following pre-requisities:

  • A working XTAM deployment with the Federated Sign-In experience.
  • Access to your existing XTAM host server. You will need to update a configuration file, certificates and restart services.
  • Access to your WatchGuard portal to configure your AuthPoint authentication services.
  • If Users are created and managed in WatchGuard, then a matching user must also be created as an XTAM Local User.
  • If Users are synced from Active Directory to WatchGuard, then you must also integrate XTAM with the same Active Directory.

 

Step 1: Begin the AuthPoint Configuration

1

Login to your WatchGuard portal. This guide is built using the WatchGuard Cloud portal as available in October 2019.

2

Navigate to Configure > AuthPoint.

XTAM AuthPoint - Configure AuthPoint Option

3

From the AuthPoint page, select the Resources option from the left navigation. From the Resources page, click the CERTIFICATE button to generate a certificate.

XTAM AuthPoint - Generate AuthPoint Certificate

4

When the certificate appears, click the menu on the right (three dots) and use both the Download Certificate and Download Metadata files. Save both files to a safe location as they will be needed in a future step.

XTAM AuthPoint - Download AuthPoint Certificate

5

From the same menu (three dots), open the Copy Metadata URL option and save this URL. We will need this full URL in a future step.

 

Step 2: Perform the XTAM Configuration

1

Login to your XTAM host server.

2

Move or copy both the downloaded Certificate and Metadata files from step 1.4 to the $XTAM_HOME\content\keys directory.

3

Import the AuthPoint certificate to the XTAM keystore using the following procedure:

3a

Open a prompt and navigate to the $XTAM_HOME directory. You may need sudo or elevated permissions.

3b

Execute the following command:

For Windows, confirm the name of the .cer file and its location to be imported and used by XTAM.

bin\PamKeytool.cmd -import -alias xtauthpoint -file content\keys\wg-authpoint-saml-certificate-202910-base64.cer -keystore jre\lib\security\cacerts

For Unix or Linux, confirm the name of the .cer file and its location to be imported and used by XTAM.

bin/PamKeytool.sh -import -alias xtauthpoint -file content/keys/wg-authpoint-saml-certificate-202910-base64.cer -keystore jre/libsecurity/cacerts
3c

After the command is issued, you will be prompted for the keystore password. Enter the value changeit and press the Enter key to continue.

3d

When prompted Trust this certificate? enter y and press the Enter key. You will receive the message Certificate was added to keystore when it has imported successfully.

4

Open the file $XTAM_HOME/web/conf/catalina.properties in a text editor and add the following new section. Confirm that the values for each parameter is accurate to your XTAM deployment, particularly those in red.

# AutoPoint SSO SAML
cas.authn.pac4j.saml[0].clientName=AuthPoint
cas.authn.pac4j.saml[0].keystorePassword={enterSomePassword}
cas.authn.pac4j.saml[0].privateKeyPassword={enterSomePassword}
cas.authn.pac4j.saml[0].serviceProviderEntityId={managed_path}
cas.authn.pac4j.saml[0].serviceProviderMetadataPath=C:/xtam/content/keys/{metadata.xml from step 1.4}
cas.authn.pac4j.saml[0].keystorePath=C:/xtam/content/keys/samlKeystoreAuthpoint.jks
cas.authn.pac4j.saml[0].identityProviderMetadataPath={metadata URL from step 1.5}
cas.authn.pac4j.saml[0].maximumAuthenticationLifetime=2073600
5

When complete, save and close your catalina.properties file.

6

Restart the PamManagement (Windows) or pammanager (Linux) service. After the service fully restarts, it could take 3-5 minutes to fully restart, the keystore file should appear in $XTAM_HOME/content/keys/samlKeystoreAuthpoint.jks or the location you defined in the catalina file.

7

Next, we will export the SAML certificate from XTAM using the following procedure.

7a

Open or reuse your existing prompt and navigate to the $XTAM_HOME directory. You may need sudo or elevated permissions.

7b

Execute the following command:

For Windows

bin\PamKeytool.cmd -keystore content\keys\samlKeystoreAdfs.jks -export -alias saml2clientconfiguration -file content\keys\adfsxtam.cer

For Unix or Linux

bin/PamKeytool.sh -keystore content/keys/samlKeystoreAdfs.jks -export -alias saml2clientconfiguration -file content/keys/adfsxtam.cer
8

Now we need to convert your exported certificate file to base-64 encoding. Use whatever method you are most comfortable with. In Windows, we believe the easiest method is the following:

8a

Double click on your certificate file and click Open if you receive a security prompt.

8b

From the Certificate dialog, switch to the Details tab and click the Copy to File… button.

XTAM AuthPoint - Certificate Details

8c

On the Certificate Export Wizard screen, select the format Base-64 encoded X.509 (.CER) option.

XTAM AuthPoint - Certificate Export to Base-64 Encoding

8c

Save this converted certificate file to $XTAM_HOME/content/keys.

 

Step 3: Complete the AuthPoint Configuration

1

Return to your WatchGuard portal.

2

From AuthPoint’s Resources page, expand the Choose a resource type dropdown menu, select the option SAML and finally click Add Resource.

XTAM AuthPoint - Add New SAML Resource

3

Enter values for all necessary fields that match those that were entered into the catalina.properties file from the previous step.

XTAM AuthPoint - SAML Resource Configuration

  • Name: Enter a meaningful name
  • Application Type: Others
  • Service Provider Entity ID: {managed_path value from step 2.4}
  • Assertion Consumer Service: {managed_path value from step 2.4}/cas/login?client_name=AuthPoint
  • User ID sent on redirection to service provider: Email
  • Logout URL: empty
  • Signature Method: SHA-256
4

For the Certificate, click the CHOOSE FILE button and select your converted base-64 encoded certificate file from the previous step.

5

Click the slider so that Encryption enabled is turned on.

6

Click the SAVE button to complete the resource creation.

7

Next, navigate to the AuthPoint’s Groups page and click the Add Group button.

XTAM AuthPoint - Add Group

8

Enter a meaningful Name (required) for this new Group and a description (optional).

9

Now for this Group, click the Add Policy button, select the Resource we created in the previous step from the dropdown and finally configure your security policies as desired. Click ADD to complete the creation of your policy.

XTAM AuthPoint - Add Group Access Policy

10

Next, navigate to the AuthPoint’s Users page and click the Add User button.

XTAM AuthPoint - Add New User

11

Fill out all required fields as needed for this new User. For the Group parameter, select the Group that was created in the previous step. Click the SAVE button to create this new user.

XTAM AuthPoint - New User Configuration

12

Finally, you can open your XTAM login page, click the red button named AuthPoint and test the login process with the User that was created in the previous step. Remember that an identical User account must also be created on XTAM’s Local Users page.

 
 

Copyright © 2019 Xton Technologies, LLC. All rights reserved.