SSO Agent
With Single Sign-On (SSO), users need to authenticate only once to access several services.
The SSO agent method requires the installation of the Stormshield Network SSO Agent application, a Windows service that allows Stormshield Network firewalls to benefit from transparent authentication on Windows Active Directory. Refer to the technical note Stormshield Network SSO Agent - Installation and deployment for instructions on how to install this application.
When users log in to the Windows domain by opening their sessions, they will automatically be authenticated on the firewall. The SSO agent gathers information on the user’s identity on the domain by connecting remotely to the event viewer on the domain controller. The SSO agent then relays this information to the firewall through an SSL connection, which updates its table of authenticated users.
From version 3 of the firmware onwards, up to 5 SSO agents can be declared, thereby making it possible to manage authentication on 5 Windows Active Directory domains without approval relationships. These domains must be declared beforehand as external Microsoft Active Directory types of LDAP directories (Users > Directory configuration module). Additional SSO agents will be named SSO Agent 1, SSO Agent 2, etc.
After having added this method, you can enter the information relating to its configuration.
SSO Agent
Domain name | Select the Microsoft Active Directory corresponding to the domain on which users will be authenticated. This directory must be configured beforehand through the Directory configuration module. |
SSO Agent
IP address | IP address of the server for the machine hosting Stormshield Network SSO Agent. |
Port | By default, the port "agent_ad" is selected, corresponding to port 1301. The protocol used is TCP. |
Pre-shared key. | This key is used for SSL encryption in exchanges between the SSO agent (machine hosting Stormshield Network SSO Agent) and the firewall. Enter the pre-shared key (password) defined during the installation of the SSO agent. |
Confirm pre-shared key | Confirm the pre-shared key/password that was typed in the previous field. |
Pre-shared key strength | This field indicates your password’s level of security: “Very Weak”, “Weak”, “Medium”, “Good” or “Excellent”. The use of uppercase and special characters is strongly advised. |
SSO backup agent
The fields for configuring the backup SSO agent are the same as those for the main agent.
Domain controller
You will need to add all the domain controllers that control the selected Active Directory domain. They must be saved in the firewall’s object database.
Add a domain controller | Click to select or create the corresponding object. You will need to add all the domain controllers that control the Active Directory domain. They must be saved beforehand in the firewall’s object database. |
Advanced properties
Select this option if the SSO agent to be contacted is installed in Windows Active Directory mode (agent installed on a workstation or on a Windows server) or in Syslog server mode (agent installed on a Linux Ubuntu machine).
There are five additional fields to configure in Syslog server mode:
Listening IP address | Enter the IP address of the syslog server. |
Listening port | Enter the listening port of the syslog server. The syslog network object is suggested by default. |
IP address search (reg. expr.) | Enter the regular expression that will be used to search for IP addresses in logs hosted on the syslog server. Example: ([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})\s\| |
User search (reg. expr.) | Enter the regular expression that will be used to search for user names in logs hosted on the syslog server. Example: JOHN\\([a-zA-Z0-9\.]*)\s will detect entries such as JOHN\john.doe |
Message search (reg. expr.) | Enter the regular expression that will be used to search for connection messages in logs hosted on the syslog server. Example: connect|ok will detect entries such as JOHN|connect|ok|sysvol |
Backup syslog server configuration
You can specify a backup syslog server
Listening IP address | Enter the IP address of the backup syslog server. |
The following fields appear in both Windows Active Directory mode and Syslog server mode:
Maximum authentication duration | Define the maximum duration for the session of an authenticated user. After this period, the firewall will delete the user from its table of authenticated users, thereby logging out the user. This duration is to be defined in seconds or minutes. It is set by default to 36000 seconds, or 10 hours. |
Refresh user group updates | If the Active Directory has been configured on the firewall (Directory configuration module), the firewall will check for possible changes made to LDAP directory groups. The firewall will then update its directory configuration then send this information to the SSO agent. This duration defined in seconds, minutes or hours, is set by default to 3600 seconds, or 1 hour. |
Disconnection detection | With this option, authenticated users can be deleted when an associated host logs off or when a session is shut down. This test to detect which hosts are connected to the firewall is carried out either by pinging or by the registry database method. If this method is not enabled, the user will only be disconnected after the defined authentication period, even if his session is shut down. | ||
Detection method | Select a log off method from PING or Registry database:
| ||
Consider offline after | If a host does not respond to the ping after this period, it will be considered disconnected. The firewall will then delete the user associated with this host from its table of authenticated users. This duration defined in seconds, minutes or hours, is set by default to 5 minutes. | ||
Disconnection detection | With this option, authenticated users can be deleted when an associated host logs off or when a session is shut down. This test to detect which hosts are connected to the firewall is carried out either by pinging or by the registry database method. If this method is not enabled, the user will only be disconnected after the defined authentication period, even if his session is shut down. |
Enable DNS host lookup | With this option, you can manage changes to the IP addresses of user workstations and authenticate users who have logged in to hosts that have several IP addresses. |
Ignored administration accounts | In the firewall’s factory configuration, there is a list of users whose authentication is ignored. These accounts list the usual logins dedicated to the administrator (Administrator and Administrateur by default). This mechanism was set up because the domain controller treats the execution of a service or an application (Run as administrator feature, for example) as an authentication. As SN SSO Agent restricts authentication by IP address, this type of authentication may potentially replace the authentication of the user with an open Windows session. The pre-set list of “Ignored Administrator accounts” allows SN SSO Agent to ignore their authentication. Edit it if necessary. |