SAML login for VPN


With the recent enhancements to Azure AD MFA implementing number matching, this would be a huge boost for security with the mobile workforce.

Currently, we can use RADIUS via approve/deny or purchase AuthPoint at an additional license fee and use tokens. For those of us already paying for Azure AD, it would be nice to tie it all in together without another purchase.

Unfortunately RADIUS does not support anything except for approve/deny and that is now being exploited through "MFA fatigue" attacks, where an attacker repeatedly sends MFA requests to your device until you approve. Number matching removes this problem.

more info:


  • james.carsonjames.carson Moderator, WatchGuard Representative

    @JohnathanT Which VPN are you using?
    We've added an native authpoint option to the SSLVPN on the firebox -- If you're using that solution, I would suggest checking that out.

    (If you'd like to keep that information private, please consider opening a case, and we can get a feature request together, or add your information to an existing one.)

    -James Carson
    WatchGuard Customer Support

  • From a feature request stance, having native Azure AD authentication as an option (typically via SAML) would be the best option.

    We have quite a few setups where this would be ideal, since having Azure AD Directory Services (AADDS) is quite cost prohibitive just to run a RADIUS server "in cloud", and not all our clients have an on-premise AD setup linked to Azure AD either.

    AuthPoint, while WatchGuard "native", doesn't fit the bill for our clients as it's not only another authentication/MFA solution (they already use MFA through Azure AD for their Office 365 access), but as JohnathanT said, if you're already paying for it [Azure AD], it would be nice to not have to buy yet another package.

    Sidenote - I believe the Cisco Firepower appliance I had to deploy for a client (they wouldn't accept WatchGuard sadly, this being one of the reasons) does support SAML to Azure AD, although for that setup the project is on hold, so if WatchGuard had this capability, it would be an easier sell to customers/management.

  • In addition to the cost, the seamless MFA users experience when integrated with Azure AD (and Windows Hello for Business) is not something to be disregarded lightly. You can do MFA login without having to type password or TOTP pin. I have done couple of integrations with virtual Cisco ASA and Cisco FIrepower. The user experience, security, and simplicity are well worth it.

Sign In to comment.