Integration with WatchGuard AuthPoint

Configuration for PAM and WatchGuard AuthPoint MFA Integration

 

PAM supports integration with SAML providers like WatchGuard AuthPoint to allow their unique multi-factor authentication (MFA) solution to handle the second authentication method, enabling even greater security for your PAM deployment.

The following guide describes how to configure your PAM and WatchGuard AuthPoint integration.

Requirements

Before you begin your integration, be sure you meet the following pre-requisities:

  • A working PAM deployment with the Federated Sign-In experience.
  • Access to your existing PAM host server. You will need to update a configuration file, certificates and restart services.
  • Access to your WatchGuard portal to configure your AuthPoint authentication services.
  • If Users are created and managed in WatchGuard, then a matching user must also be created as an PAM Local User.
  • If Users are synced from Active Directory to WatchGuard, then you must also integrate PAM with the same Active Directory.

Step 1: Begin the AuthPoint Configuration

  1. Login to your WatchGuard portal. This guide is built using the WatchGuard Cloud portal as available in October 2019.
  2. Navigate to Configure > AuthPoint.

    3. PAM-AuthPoint-Configure-AuthPoint

  3. From the AuthPoint page, select the Resources option from the left navigation. From the Resources page, click the CERTIFICATE button to generate a certificate.

    PAM-AuthPoint-Resources-Certificate-Button

  4. When the certificate appears, click the menu on the right (three dots) and use both the Download Certificate and Download Metadata files. Save both files to a safe location as they will be needed in a future step.

    PAM-AuthPoint-Resources-Certificate-Download-Options

  5. From the same menu (three dots), open the Copy Metadata URL option and save this URL. We will need this full URL in a future step.

Step 2: Perform the Configuration

  1. Login to your PAM host server.
  2. Move or copy both the downloaded Certificate and Metadata files from step 1.4 to the $PAM_HOME\content\keys directory.
  3. Import the AuthPoint certificate to the PAM keystore using the following procedure:

    1. Open a prompt and navigate to the $PAM_HOME directory. You may need sudo or elevated permissions.

    2. Execute the following command:

      For Windows, confirm the name of the .cer file and its location to be imported and used by PAM:

      Copy
      bin\PamKeytool.cmd -import -alias xtauthpoint -file content\keys\wg-authpoint-saml-certificate-202910-base64.cer -keystore jre\lib\security\cacerts

      For Unix or Linux, confirm the name of the .cer file and its location to be imported and used by PAM:

      Copy
      bin/PamKeytool.sh -import -alias xtauthpoint -file content/keys/wg-authpoint-saml-certificate-202910-base64.cer -keystore jre/libsecurity/cacerts

    3. After the command is issued, you will be prompted for the keystore password. Enter the value changeit and press the Enter key to continue.

    4. When prompted Trust this certificate? enter y and press the Enter key. You will receive the message Certificate was added to keystore when it has imported successfully.

  4. Open the file $PAM_HOME/web/conf/catalina.properties in a text editor and add the following new section. Confirm that the values for each parameter is accurate to your PAM deployment, particularly those in red.

    # AutoPoint SSO SAML

    cas.authn.pac4j.saml[0].clientName=AuthPoint

    cas.authn.pac4j.saml[0].keystorePassword={enterSomePassword}

    cas.authn.pac4j.saml[0].privateKeyPassword={enterSomePassword}

    cas.authn.pac4j.saml[0].serviceProviderEntityId={managed_path}

    cas.authn.pac4j.saml[0].serviceProviderMetadataPath=$PAM_HOME/content/keys/{metadata.xml from step 1.4}

    cas.authn.pac4j.saml[0].keystorePath=$PAM_HOME/content/keys/samlKeystoreAuthpoint.jks

    cas.authn.pac4j.saml[0].identityProviderMetadataPath={metadata URL from step 1.5}

    cas.authn.pac4j.saml[0].maximumAuthenticationLifetime=2073600

     

  5. When complete, save and close your catalina.properties file.

  6. Restart the PamManagement (Windows) or pammanager (Linux) service. After the service fully restarts, it could take 3-5 minutes to fully restart, the keystore file should appear in $PAM_HOME/content/keys/samlKeystoreAuthpoint.jks or the location you defined in the catalina file.

  7. Next, we will export the SAML certificate from PAM using the following procedure.

    1. Open or reuse your existing prompt and navigate to the $PAM_HOME directory. You may need sudo or elevated permissions.

    2. Execute the following command:

      For Windows:

      Copy 
      bin\PamKeytool.cmd -keystore content\keys\samlKeystoreAdfs.jks -export -alias saml2clientconfiguration -file content\keys\adfsxtam.cer

      For Unix or Linux:

      Copy 
      bin/PamKeytool.sh -keystore content/keys/samlKeystoreAdfs.jks -export -alias saml2clientconfiguration -file content/keys/adfsxtam.cer

  8. Now we need to convert your exported certificate file to base-64 encoding. Use whatever method you are most comfortable with. In Windows, we believe the easiest method is the following:

    1. Double click on your certificate file and click Open if you receive a security prompt.

    2. From the Certificate dialog, switch to the Details tab and click the Copy to File... button.

      PAM-AuthPoint-Certificate-Details

    3. On the Certificate Export Wizard screen, select the format Base-64 encoded X.509 (.CER) option.

      PAM-AuthPoint-Certificate-Export-Base-64-Encoding

    4. Save this converted certificate file to $PAM_HOME/content/keys.

Step 3: Complete the AuthPoint Configuration

  1. Return to your WatchGuard portal.
  2. From AuthPoint’s Resources page, expand the Choose a resource type dropdown menu, select the option SAML and finally click Add Resource.PAM-AuthPoint-SAML-Add-Resource-Button
  3. Enter values for all necessary fields that match those that were entered into the catalina.properties file from the previous step.

    4. PAM-AuthPoint-SAML-Resource-Configuration

  4. Name: Enter a meaningful name

    Application Type: Others

    Service Provider Entity ID: {managed_path value from step 2.4}

    Assertion Consumer Service: {managed_path value from step 2.4}/cas/login?client_name=AuthPoint

    User ID sent on redirection to service provider: Email

    Logout URL: empty

    Signature Method: SHA-256

    For the Certificate, click the CHOOSE FILE button and select your converted base-64 encoded certificate file from the previous step.
  5. Click the slider so that Encryption enabled is turned on.
  6. Click the SAVE button to complete the resource creation.
  7. Next, navigate to the AuthPoint’s Groups page and click the Add Group button.

  8. PAM-AuthPoint-Groups-Add-Group-Button

    Enter a meaningful Name (required) for this new Group and a description (optional).

  9. Now for this Group, click the Add Policy button, select the Resource we created in the previous step from the dropdown and finally configure your security policies as desired. Click ADD to complete the creation of your policy.

    PAM-AuthPoint-Groups-Access-Policy

  10. Next, navigate to the AuthPoint’s Users page and click the Add User button.

    PAM-AuthPoint-Users-Add-New-User-Button

  11. Fill out all required fields as needed for this new User. For the Group parameter, select the Group that was created in the previous step. Click the SAVE button to create this new user.

    PAM-AuthPoint-Users-New-User-Configuration

  12. Finally, you can open your PAM login page, click the red button named AuthPoint and test the login process with the User that was created in the previous step. Remember that an identical User account must also be created on PAM’s Local Users page.