LoginTC protects access to your WatchGuard Access Portal using SAML SSO. The LoginTC AD FS Connector protects access to your Microsoft Active Directory Federation Services (AD FS) by adding a second factor LoginTC challenge to existing username and password authentication. The LoginTC AD FS Connector provides a LoginTC multi-factor authentication (MFA) method to your AD FS deployment, used by your WatchGuard Access Portal.
Subscription Requirement
Your organization requires the Business or Enterprise plan to use the LoginTC AD FS Connector. Explore Pricing Plans
After clicking on LoginTC
from the WatchGuard Access Portal and entering the username and password into the AD FS login page, the user is shown a selection of second factor options. The user clicks a button to receive a LoginTC push notification, authenticates and is logged in.
Prefer Reading a PDF?
Download a PDF file with configuration instructions:
Before proceeding, please ensure you have the following:
WatchGuard Resources:
Working WatchGuard Access Portal Federation Deployment
It is strongly recommended that you have a working WatchGuard Access Portal with federation against your on-premise AD FS prior to adding LoginTC multi-factor authentication.
Create a LoginTC domain in LoginTC Admin Panel. The domain represents a service (e.g. your corporate AD FS) that you want to protect with LoginTC. It will contain token policies and the users that access your service.
If you have already created a LoginTC domain for your AD FS deployment, then you may skip this section and proceed to Installation.
Use Default Domain Settings
Domain settings can be modified at any time by navigating to Domains > Your Domain > Settings.
The instructions below are for AD FS (version 4.0) running on Windows Server 2016. If you have AD FS (3.0) running on Windows Server 2012 R2, see AD FS Configuration in Two-factor authentication for AD FS on Windows Server 2012 R2.
To configure your AD FS to use the LoginTC MFA method:
Don’t have a Relying Party for WatchGuard Access Portal setup yet?
For instructions on configuring a Relying Party for Access Portal see sections WatchGuard Access Portal Configuration and AD FS Relying Party.
Your AD FS login will now present the user with a secondary LoginTC authentication page.
Configuration for WatchGuard Access Portal 2FAConfigure WatchGuard Access Portal for SAML Single Sign-On (SSO):
Service Provider (SP) Settings:
Property | Explanation | Example |
---|---|---|
IdP Name |
Name to appear as the authentication server name | LoginTC |
Host Name |
A fully qualified domain name that resolves to the Firebox external interface | watchguard.example.com |
Identity Provider (IdP) Settings
Property | Explanation | Example |
---|---|---|
IdP Metadata URL |
AD FS Federation Metadata URL | https://fs.example.com/FederationMetadata/2007-06/FederationMetadata.xml |
Group Attribute Name |
The name of the attribute returning group claims | memberOf |
metadata.xml
.
WatchGuard SAML Configuration
WatchGuard Access Portal is now configured to use your AD FS server to perform authentication. In the next section the metadata.xml
file will be used to configure AD FS to properly authenticate WatchGuard Access Portal requests.
To configure a WatchGuard Access Portal Relying Party in AD FS:
metadata.xml
from the final section of WatchGuard Access Portal Configuration is saved.WatchGuard Access Portal
):Next you will need to configured the AD FS Claims for your WatchGuard Access Portal Relying Party.
AD FS ClaimsWatchGuard Access Portal requires the following claims to be configured:
Given Name LDAP Query
)Transform Given Name to Name ID
)Send Group Membership as Claim
)
Additional AD FS Groups
If your WatchGuard Access Portal is configured with multiple groups, subsequent groups can be added as claims following the same procedure listed above
With these claims configured you are now ready to test logging into the WatchGuard Access Portal using LoginTC and AD FS.
LoggingThe LoginTC AD FS Connector logs events to the Microsoft Event Viewer under Applications and Service Logs → LoginTC. In some cases, it may be helpful to also look at the general AD FS logs under Custom Views → ServerRoles → Active Directory Federation Services.
UninstallationTo uninstall the LoginTC AD FS Connector, simply navigate to the Add or remove programs in the Windows Control Panel, find LoginTC AD FS Connector in the list and follow the prompts.
Prior to Uninstalling
Prior to uninstalling the LoginTC AD FS Connector, ensure that the LoginTC MFA method is not being used in any of your AD FS authentication policies. The uninstallation will fail if the LoginTC MFA method is being used in any of your AD FS authentication policies.
Email Support
For any additional help please email support@cyphercor.com. Expect a speedy reply.