Defining an authentication policy

To allow traffic dedicated to the SSO Agent authentication method that was configured, you must define rules in the authentication policy.

  1. Log in to the firewall's administration interface: https://firewall_IP_address/admin,
  2. Go to Configuration > Users > Authentication, Authentication policy tab.
  3. Click on New rule and select Standard rule to run the wizard.
  4. Under the User tab, in the User or group field: select the user or group concerned or leave the default value Any_user@domain.
  5. In the Source tab, click on Add an object and select the source of the traffic to which the rule applies. This object can be the one that corresponds to internal networks (network_internals).
    Interfaces cannot be specified as criteria for the SSO Agent authentication method, as it is based on authentication events gathered by LDAP directories. Since these events do not indicate the source of the traffic, interfaces may not always be specified in the authentication policy.
  6. In the Authentication methods tab, click on Authorize a method and select from the drop-down list the authentication methods to apply to the traffic affected by the rule. They are evaluated in the order in which they appear on the list, from top to bottom. As the SSO Agent method is transparent, it always has priority.
    The default method can be changed below the table containing the rules of the authentication policy
  7. Click on OK, then on Apply.

Repeat the steps above to add several rules.

The SSO Agent method does not support multi-user objects (several authenticated users on the same IP address). However, such objects can be found on a network, a range or a group defined as the source of a rule that uses the SSO Agent authentication method.

To prevent multiple logs from being generated when SN SSO Agent is denied for users on an address declared as a multi-user address, we recommend that you add two rules dedicated to such objects in front of the rules that use the SSO Agent method:

  • The first rule specifies the authentication method used by the multi-user object,
  • The next rule blocks any other authentication method for multi-user objects.