We've listened to your feedback about product enhancement requests and have been hard at work to provide you with a better system. The WatchGuard Idea Portal allows you to submit ideas directly to our Product Management team and receive feedback on your requests.

You can navigate to the Idea Portal by logging into WatchGuard Cloud. https://cloud.watchguard.com

-Click the question mark at the top right of the page and select Give Feedback.
-The idea portal will load and allow you to make submissions for new ideas or upvote existing requests.

Thank you,

We are looking to move from Duo and have found from testing that there is no option to pause mfa checks for a certain period. For example we have it set at 12 hours so it will only ask once at the start of your work day and will only ask again if you move networks.

I appreciate there are network locations you can set as approved but this wont work when home working etc.

thanks

Is AuthPoint able to be able to get the local IP from the VDI Blast Protocol, or is it planned? I also tried allowing the desktop pool to use RDP with the same result.

So I wasn't able to make ConnectWise SSO work directly with AuthPoint.

As a work around I was able to make ConnectWise SSO use Azure Active Directory for external authentication, it works but its a bit convoluted.

The flow is like this, user navigates to ConnectWise SSO (from another ConnectWise product) > enter username > then redirect to Azure Active Directory > enter user name a 2nd time > then redirect to WatchGuard AuthPoint > enter user name a 3rd time > then authenticate and redirect back to AAD then redirect back to ConnectWise SSO.

Would be great if support for OpenID Connect could be added.

Also a side not, would be great if AuthPoint was able to somehow pickup the username when being redirected during SP initiated sign on, so that we only had to enter the username once. (e.g already populated on the AuthPoint login page), not sure if thats possible though, just a thought.

It seems like it would be trivial to add such a feature and help customers lock down their environments without spending a lot of extra time manually performing this task.

Seems to me that it would be basic functionality to be able to export the list of users to CSV and that the list would include details such as last login date.

There are certain things like Teams Rooms that don't support MFA at all that need to be whitelisted in order to work... I understand we could use ADFS to filter by groups but that doesn't work very well when your internal Domain is different from the public one....

https://docs.microsoft.com/en-us/microsoftteams/rooms/rooms-authentication

"MFA isn't supported regardless of the topology you have."

This is becoming a drag and makes it really hard to sell AuthPoint when there are flexible MFA solutions like DUO or Microsoft MFA...

App A
App B
App C
App D
App E

User 1
User 2
User 3
User 4
User 5
User 6

App A - All Users
App B - User 1,2,3
App C - User 4,5,6
App D - User 1,3,5
App E - User 1,2,5,6

In an ideal world (one where a certain well-known competitive product is available).. I'd just sync the equivalent AD groups into AuthPoint - regardless that a number of users belong to more than one group, and assign those groups to the Access Portal as necessary.

From what I can make out, I'd need a separate AuthPoint group for every possible combination of access - not very scalable, and complicated.

If Access Policies were done at the Resource level instead of on Groups - the whole problem goes away, if I read it right?

Cheers, James

As my list of 3rd-party tokens has grown over the years, I find it difficult to find some of my tokens without a search feature. I have looked at 5 other authenticator apps and Authpoint is the only one with search capabilities. Is this something that is coming up?

Some users could not use the mobile app so we purchased some hardware tokens. It just so happens that one of these users has T-Mobile 5G Internet which uses carrier-grade NAT.

When the user connects with their user name and password, they are prompted for the code from the hardware key, and they enter it. But because of the carrier grade NAT, the second response comes from a different IP address from the first response and the authentication is rejected.

I had a Watchguard support case stretch out over a couple of weeks where we tried various alternatives, and the only thing that worked was moving the user off of Authpoint and authenticating directly with the Firebox using user name and password.

More and more Internet providers are going to start using carrier-grade NAT to save costs and so Watchguard is going to have to deal with this.

I have come across a situation recently that I think could drive a great addition to the Authpoint product - the ability to secure an SMB share (individually or all on an designated system) with Authpoint, thereby requiring a successful MFA approval to grant access.

I understand it's probably a bit of a niche feature, but we have several customers with very specific security controls and must comply with various industry standard and government certifications/controls/compliances. It would certainly be helpful to be able to lock down access to a share with MFA.

My organization is actively pursuing similar certifications in order to grow our client base who require these controls/certifications, so having a tool like this will go a long way in our support of our existing and future clients!

Thanks!

Would like to see support for kerberos protocol.
Not much use making a admin account member of Protected Users group when AuthPoint do not support Kerberos.

If the user account do not allow ntlm authentication authpoint gives us this:

Reason: The LDAP password is not valid.
Error: 201.045.003 - Authentication transaction is not authorized.

/Robert

I'd love the option to stop the push notifications from being able to be approved from the lock screen as it can be a security risk.

I know you can manually set which apps can display content on the lock screen on each device but that isn't a possibility in large deployments.

If there is a technical limitation, maybe see if you can get it to at least report the status to the dashboard.

Thanks.

I just finished deploying the AuthPoint app to ~40 users, and it's time for some constructive feedback with regards to the user experience

The progress bars on each token have been universally misleading. Almost without exception, every single user I set up said/asked some variant of "it's trying to do something", "it's downloading/uploading something", "It's been doing this for the last 2 hours and nothing's happened", etc. I suggest they should be replaced with something more intuitive - for example the MS authenticator app uses a countdown circle where it shows the number of seconds remaining in the center, and the circumference of the circle is the progress bar that reduces, not increases as time goes on.

Also, the "Check for pending push notifications" link seems to confuse people as well - many people have read it as "Checking for pending push notifications", and also assumed that its "doing" something. Perhaps removing it from the main display and putting it in the menu would be more suitable. The language also strikes me as a little off - if you have to fetch, it's not push.

Cheers!
-Chris

we have setup Mobile VPN via "SSLVPN" in our infrastructure for homeoffice.
We can currently see the authenticated users in both the Watchguard Cloud (/reports/auth/authentication) and the Firebox (/dashboard/system?report=bovpn -> Mobile VPN).

We want to expose the currently authenticated mobile VPN users to an intranet page, where coworkers can see, if a colleague is currently in the office or at home.
I have tried to achieve this via Watchguard Cloud API, as well as via Firebox CLI. Both attempts were unsuccessful, as there is apparently currently no way to list SSLVPN user sessions via API or CLI.

My suggestion:

• Add an API endpoint to display the status of all Mobile VPN sessions
• Add "show mvpn-ssl session" to the CLI commands

Thanks

Would like to see support for both PUSH and OTP within the same AuthPoint policy when using ldap radius authentication up against a firebox with either sslvpn or GUI login.

/Robert

The impact of a deleted account is very significant for AuthPoint deployments especially if the Logon App has been deployed.

Cheers

Can accounts be set up with greater granularity so that we can control what they have access to, such as AuthPoint but not Firebox, and what they can do with it?

Diagnose this issue further by capturing HTTP headers during a login attempt. Extract the RelayState from the HTTP headers with both the SAML Request and Response, and make sure that the RelayState values in the Request and Response match.
Most commercially-available or open-source SSO Identity Providers transmit the RelayState seamlessly by default. For optimum security and reliability, we recommend that you use one of these existing solutions and cannot offer support for your own custom SSO software."

any suggestions ?

Thank you in advance

Vassilis

Concerning SAML-Ressources, SSO and Provisioning, I suggest the feature to allow multiple attributes to be send on SAML-based authentication flows.

So far, it is possible to add SAML ressources and can choose between [Email, User Name, Email prefix] as the User ID to be send on redirection to the service provider (SP).
Increasing the number of attributes, that can be claimed by the SP, would mean that more attributes could be send and synchronised in SPs User base. Therefore you don't need to manually do this or set up additional synchronisation of users to the SP user directory, which also could cause IT-security risks.

These additional attributes, I'm speaking from, are for example: phone number, department, location, and so on of an user.

Now, with a SAML-flow that supports multiple attributes to beclaimed by the SP, these attributes can be synchronised at the time the user logs in the SP application.

How would this feature benefit customers or Watchguard?

• Customers can provision Users through SAML-flow in SP application
• Customers do not need to setup additional user synchronisation - which could also cause IT-security risks
• Customers could reduce costs regarding user synchronisation management - the setup is only needed to be done for Authpoint user synchronisation
• Many other MFA-/SSO-providers offer this feature - therefore Watchguard / Authpoint could increase their competitiveness and attractiveness

Following Requirements would be necessary to implement the feature

1. Watchguard adds the possibility to synchronise more attributes in its own user directory.
2. Watchguard adds the possibility to send more attributes on SAML-based autentication flows.

What do you think of this?
Does any other Authpoint customer could make good use of it?

Kind regards,
Thomas