SSO Agent

With Single Sign-On (SSO), users need to authenticate only once to access several services.

The SSO agent method requires the installation of the Stormshield Network SSO Agent application, a Windows service that allows Stormshield Network firewalls to benefit from transparent authentication on Windows Active Directory. Refer to the technical note Stormshield Network SSO Agent - Installation and deployment for instructions on how to install this application.

When users log in to the Windows domain by opening their sessions, they will automatically be authenticated on the firewall. The SSO agent gathers information on the user’s identity on the domain by connecting remotely to the event viewer on the domain controller. The SSO agent then relays this information to the firewall through an SSL connection, which updates its table of authenticated users.

From version 3 of the firmware onwards, up to 5 SSO agents can be declared, thereby making it possible to manage authentication on 5 Windows Active Directory domains without approval relationships. These domains must be declared beforehand as external Microsoft Active Directory types of LDAP directories (Users > Directory configuration module). Additional SSO agents will be named SSO Agent 1, SSO Agent 2, etc.

After having added this method, you can enter the information relating to its configuration.

SSO Agent

Domain name Select the Microsoft Active Directory corresponding to the domain on which users will be authenticated. This directory must be configured beforehand through the Directory configuration module.
 

SSO Agent

IP addressIP address of the server for the machine hosting Stormshield Network SSO Agent.
PortBy default, the port "agent_ad" is selected, corresponding to port 1301. The protocol used is TCP.
Pre-shared key.This key is used for SSL encryption in exchanges between the SSO agent (machine hosting Stormshield Network SSO Agent) and the firewall.
Enter the pre-shared key (password) defined during the installation of the SSO agent.
Confirm pre-shared keyConfirm the pre-shared key/password that was typed in the previous field.
Pre-shared key strengthThis field indicates your password’s level of security: “Very Weak”, “Weak”, “Medium”, “Good” or “Excellent”. The use of uppercase and special characters is strongly advised.

SSO backup agent

The fields for configuring the backup SSO agent are the same as those for the main agent.

Domain controller

You will need to add all the domain controllers that control the selected Active Directory domain. They must be saved in the firewall’s object database.

Add a domain controllerClick to select or create the corresponding object. You will need to add all the domain controllers that control the Active Directory domain. They must be saved beforehand in the firewall’s object database.

Advanced properties

Select this option if the SSO agent to be contacted is installed in Windows Active Directory mode (agent installed on a workstation or on a Windows server) or in Syslog server mode (agent installed on a Linux Ubuntu machine).

There are five additional fields to configure in Syslog server mode:

Listening IP address

Enter the IP address of the syslog server.

Listening port

Enter the listening port of the syslog server. The syslog network object is suggested by default.

IP address search (reg. expr.)

Enter the regular expression that will be used to search for IP addresses in logs hosted on the syslog server.

Example: ([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})\s\|

User search (reg. expr.)

Enter the regular expression that will be used to search for user names in logs hosted on the syslog server.

Example: JOHN\\([a-zA-Z0-9\.]*)\s will detect entries such as JOHN\john.doe

Message search (reg. expr.)

Enter the regular expression that will be used to search for connection messages in logs hosted on the syslog server.

Example: connect|ok will detect entries such as JOHN|connect|ok|sysvol

Backup syslog server configuration

You can specify a backup syslog server

Listening IP address

Enter the IP address of the backup syslog server.

The following fields appear in both Windows Active Directory mode and Syslog server mode:

Maximum authentication durationDefine the maximum duration for the session of an authenticated user. After this period, the firewall will delete the user from its table of authenticated users, thereby logging out the user.
This duration is to be defined in seconds or minutes. It is set by default to 36000 seconds, or 10 hours.
Refresh user group updatesIf the Active Directory has been configured on the firewall (Directory configuration module), the firewall will check for possible changes made to LDAP directory groups. The firewall will then update its directory configuration then send this information to the SSO agent.
This duration defined in seconds, minutes or hours, is set by default to 3600 seconds, or 1 hour.
Disconnection detectionWith this option, authenticated users can be deleted when an associated host logs off or when a session is shut down. This test to detect which hosts are connected to the firewall is carried out either by pinging or by the registry database method.
If this method is not enabled, the user will only be disconnected after the defined authentication period, even if his session is shut down.
Detection method

Select a log off method from PING  or Registry database:

  • PING : the SSO agent tests the accessibility of all hosts authenticated on the firewall every 60 seconds by default.
    If it gets a host unreachable response or no response is received from an IP address after the defined period, the SSO agent will send a logout request to the firewall. The firewall will then will delete the user associated with this IP address from its table of authenticated users, logging the user out of the firewall.
  • Registry : the Registry database (BDR) is a database used by the Windows operating system to store information about the system’s configuration and installed software. This method makes it possible to detect a closed session on a host that is still running.
    If there is a positive response to the ping, the SSO agent will log in remotely to the host and check in the Registry database the list of users with a session open on the host. This makes it possible to update the firewall’s table of authenticated users.
Consider offline afterIf a host does not respond to the ping after this period, it will be considered disconnected. The firewall will then delete the user associated with this host from its table of authenticated users. This duration defined in seconds, minutes or hours, is set by default to 5 minutes.
Disconnection detectionWith this option, authenticated users can be deleted when an associated host logs off or when a session is shut down. This test to detect which hosts are connected to the firewall is carried out either by pinging or by the registry database method.
If this method is not enabled, the user will only be disconnected after the defined authentication period, even if his session is shut down.
Enable DNS host lookupWith this option, you can manage changes to the IP addresses of user workstations and authenticate users who have logged in to hosts that have several IP addresses.