Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

AD SSO operations

Hi, I’m struggling to find documentation about how Active Directory SSO operates (as opposed to how to set it up). The kind of questions I have are…

  • Is the initial browser authentication transparent, or does the captive portal appear for login?
  • Once the user is added to the firewall, will further browser authentications be transparent, or will the captive portal appear again?
  • Once a user is authenticated via the browser, does this apply to all firewall rules & logging or just browsing?
  • How long does the user remain authenticated against their IP address?
  • What happens when the user logs out?
  • Does it work over RDP?

That will do for starters Blush

Thanks



Added TAGs
[edited by: Erick Jan at 12:55 AM (GMT -7) on 22 Oct 2024]
Parents
  • You don't come across this very often, but I've some experience of it (albeit only once or two and not recently).

    If you set it up correctly, the browser session is authenticated in the background and the user doesn't see anything. A live user just pops up on the XG.

    There's a timeout of (by default) six minutes after which the browser authenticates automatically - there's no user input. I see no reason why when there's an authenticated user on that IP that all traffic (firewall, filtering etc) would not apply - it does normally. If the user logs out then there will be a delay whilst the time out occurs and they drop. When a new user logs in and opens a browser I'm pretty sure the old user gets overwritten straight away. Six minutes is the smallest timeout value.

    If you RDP into something and log in, then yes, I would expect it will work but if there is more than one person on that device you need to setup per connection SSO or things get very messy as users overwrite each other.

    I do recall it can be painful to setup, and any issues are difficult to troubleshoot (all that background stuff is hard to see).

    Regards

Reply
  • You don't come across this very often, but I've some experience of it (albeit only once or two and not recently).

    If you set it up correctly, the browser session is authenticated in the background and the user doesn't see anything. A live user just pops up on the XG.

    There's a timeout of (by default) six minutes after which the browser authenticates automatically - there's no user input. I see no reason why when there's an authenticated user on that IP that all traffic (firewall, filtering etc) would not apply - it does normally. If the user logs out then there will be a delay whilst the time out occurs and they drop. When a new user logs in and opens a browser I'm pretty sure the old user gets overwritten straight away. Six minutes is the smallest timeout value.

    If you RDP into something and log in, then yes, I would expect it will work but if there is more than one person on that device you need to setup per connection SSO or things get very messy as users overwrite each other.

    I do recall it can be painful to setup, and any issues are difficult to troubleshoot (all that background stuff is hard to see).

    Regards

Children