SSO Agent

Single Sign-On (SSO) allows a user to authenticate only once to access several services.

The SSO agent method requires the installation of the Stormshield Network SSO Agent application, a Windows service that allows Stormshield Network firewalls to benefit from transparent authentication on Windows Active Directory. Please refer to the technical note Stormshield Network SSO Agent - Installation and deployment for instructions on how to install this application.

When a user logs on to the Windows domain by opening his session, he will automatically be authenticated on the firewall. The principle is as follows: the SSO agent gathers information on the identification of a user on the domain by connecting remotely to the event viewer on the domain controller. The SSO agent then relays this information to the firewall through an SSL connection, which updates its table of authenticated users.

From version 3 of the firmware onwards, up to 5 SSO agents can be declared, thereby making it possible to manage authentication on 5 Windows Active Directory domains without approval relationships. These domains must be declared beforehand as external Microsoft Active Directory types of LDAP directories (Users > Directory configuration module). Additional SSO agents will be named SSO Agent 1, SSO Agent 2, etc.

After having added this method, you can enter the information relating to its configuration.

SSO Agent

Domain name

Select the Microsoft Active Directory corresponding to the domain on which users will be authenticated. This directory must be configured beforehand through the Directory configuration module.

 

SSO Agent

IP address	IP address of the server for the machine hosting Stormshield Network SSO Agent.
Port	By default, the port "agent_ad" is selected, corresponding to port 1301. The protocol used is TCP.
Pre-shared key.	This key is used for SSL encryption in exchanges between the SSO agent (machine hosting Stormshield Network SSO Agent) and the firewall. Enter the pre-shared key (password) defined during the installation of the SSO agent.
Confirm pre-shared key	Confirm the pre-shared key/password that was typed in the previous field.
Pre-shared key strength	This field indicates your password’s level of security: “Very Weak”, “Weak”, “Medium”, “Good” or “Excellent”. The use of uppercase and special characters is strongly advised.

Domain controller

You will need to add all the domain controllers that control the selected Active Directory domain. They have to be saved in the firewall’s object database.

Add a domain controller

Click to select or create the corresponding object. You will need to add all the domain controllers that control the Active Directory domain. They have to be saved beforehand in the firewall’s object database.

Advanced properties

Select this option if the SSO agent to be contacted is installed in Windows Active Directory mode (agent installed on a workstation or on a Windows server) or in Syslog server mode (agent installed on a Linux Ubuntu machine).

There are five additional fields to configure in Syslog server mode:

Listening IP address	Enter the IP address of the syslog server.
Listening port	Enter the listening port of the syslog server. The syslog network object is suggested by default.
Regular expression for IP address search	Enter the regular expression that will be used to search for IP addresses in logs hosted on the syslog server. Example: ([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})\s\|
Regular expression for user search	Enter the regular expression that will be used to search for user names in logs hosted on the syslog server. Example: JOHN\\([a-zA-Z0-9\.]*)\s will detect entries such as JOHN\john.doe
Regular expression for message search	Enter the regular expression that will be used to search for connection messages in logs hosted on the syslog server. Example: connect|ok will detect entries such as JOHN|connect|ok|sysvol

The following fields appear in both Windows Active Directory mode and Syslog server mode:

Maximum authentication duration	Define the maximum duration for the session of an authenticated user. After this period, the firewall will delete the user from its table of authenticated users, thereby logging out the user. This duration is to be defined in seconds or minutes. It is set by default to 36000 seconds, or 10 hours.
Refresh user group updates	If the Active Directory has been configured on the firewall (Directory configuration module), the firewall will check for possible changes made to LDAP directory groups. The firewall will then update its directory configuration then send this information to the SSO agent. This duration defined in seconds, minutes or hours, is set by default to 3600 seconds, or 1 hour.

Disconnection detection	This option allows deleting authenticated used when an associated host logs off or when a session is shut down. This test to detect which hosts are connected to the firewall is carried out either by pinging or by the registry database method. If this method is not enabled, the user will only be disconnected after the defined authentication period, even if his session is shut down.
Detection method	Select a log off method from PING  or Registry database: PING THE SSO agent tests the accessibility of all hosts authenticated on the firewall every 60 seconds by default. If it gets a host unreachable response or no response is received from an IP address after the period defined hereafter, the SSO agent will send a logout request to the firewall. The firewall will then will delete the user associated with this IP address from its table of authenticated users, logging the user out of the firewall. Registry The Registry database (BDR) is a database used by the Windows operating system to store information about the system’s configuration and installed software. This method allows, for example, detecting a closed session on a host that is still running. In the event of a positive response to the ping, the SSO agent will log on remotely to the host and check in the Registry database the list of users with a session open on the host. This allows updating the firewall’s table of authenticated users.
Consider as disconnected after		If a host does not respond to the ping after this period, it will be considered disconnected. The firewall will then delete the user associated with this host from its table of authenticated users. This duration defined in seconds, minutes or hours, is set by default to 5 minutes.
Disconnection detection	This option allows deleting authenticated used when an associated host logs off or when a session is shut down. This test to detect which hosts are connected to the firewall is carried out either by pinging or by the registry database method. If this method is not enabled, the user will only be disconnected after the defined authentication period, even if his session is shut down.

Enable DNS host lookup

This option allows managing changes to the IP addresses of user workstations and authenticating users who have logged on to hosts that have several IP addresses.