SSO Agent

With Single Sign-On (SSO), users need to authenticate only once to access several services.

The SSO agent method requires the installation of the Stormshield Network SSO Agent application, a Windows service that allows Stormshield Network firewalls to benefit from transparent authentication on Windows Active Directory. Refer to the technical note Stormshield Network SSO Agent - Installation and deployment for instructions on how to install this application.

When users log in to the Windows domain by opening their sessions, they will automatically be authenticated on the firewall. The SSO agent gathers information on the user’s identity on the domain by connecting remotely to the event viewer on the domain controller. The SSO agent then relays this information to the firewall through an SSL connection, which updates its table of authenticated users.

From version 3 of the firmware onwards, up to 5 SSO agents can be declared, thereby making it possible to manage authentication on 5 Windows Active Directory domains without approval relationships. These domains must be declared beforehand as external Microsoft Active Directory types of LDAP directories (Users > Directory configuration module). Additional SSO agents will be named SSO Agent 1, SSO Agent 2, etc.

After having added this method, you can enter the information relating to its configuration.

SSO Agent

Domain name

Select the Microsoft Active Directory corresponding to the domain on which users will be authenticated. This directory must be configured beforehand through the Directory configuration module.

SSO Agent

IP address	IP address of the server for the machine hosting Stormshield Network SSO Agent.
Port	By default, the port "agent_ad" is selected, corresponding to port 1301. The protocol used is TCP.
Pre-shared key.	This key is used for SSL encryption in exchanges between the SSO agent (machine hosting Stormshield Network SSO Agent) and the firewall. Enter the pre-shared key (password) defined during the installation of the SSO agent.
Confirm pre-shared key	Confirm the pre-shared key/password that was typed in the previous field.
Pre-shared key strength	This field indicates your password’s level of security: “Very Weak”, “Weak”, “Medium”, “Good” or “Excellent”. The use of uppercase and special characters is strongly advised.

SSO backup agent

The fields for configuring the backup SSO agent are the same as those for the main agent.

Domain controller

You will need to add all the domain controllers that control the selected Active Directory domain. They must be saved in the firewall’s object database.

Add a domain controller

Click to select or create the corresponding object. You will need to add all the domain controllers that control the Active Directory domain. They must be saved beforehand in the firewall’s object database.

Advanced properties

Select this option if the SSO agent to be contacted is installed in Windows Active Directory mode (agent installed on a workstation or on a Windows server) or in Syslog server mode (agent installed on a Linux Ubuntu machine).

There are five additional fields to configure in Syslog server mode:

Listening IP address	Enter the IP address of the syslog server.
Listening port	Enter the listening port of the syslog server. The syslog network object is suggested by default.
IP address search (reg. expr.)	Enter the regular expression that will be used to search for IP addresses in logs hosted on the syslog server. Example: ([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})\s\\|
User search (reg. expr.)	Enter the regular expression that will be used to search for user names in logs hosted on the syslog server. Example: JOHN\\([a-zA-Z0-9\.]*)\s will detect entries such as JOHN\john.doe
Message search (reg. expr.)	Enter the regular expression that will be used to search for connection messages in logs hosted on the syslog server. Example: connect\|ok will detect entries such as JOHN\|connect\|ok\|sysvol

Backup syslog server configuration

You can specify a backup syslog server

Listening IP address

Enter the IP address of the backup syslog server.

The following fields appear in both Windows Active Directory mode and Syslog server mode:

Maximum authentication duration	Define the maximum duration for the session of an authenticated user. After this period, the firewall will delete the user from its table of authenticated users, thereby logging out the user. This duration is to be defined in seconds or minutes. It is set by default to 36000 seconds, or 10 hours.
Refresh user group updates	If the Active Directory has been configured on the firewall (Directory configuration module), the firewall will check for possible changes made to LDAP directory groups. The firewall will then update its directory configuration then send this information to the SSO agent. This duration defined in seconds, minutes or hours, is set by default to 3600 seconds, or 1 hour.

Disconnection detection	With this option, authenticated users can be deleted when an associated host logs off or when a session is shut down. This test to detect which hosts are connected to the firewall is carried out either by pinging or by the registry database method. If this method is not enabled, the user will only be disconnected after the defined authentication period, even if his session is shut down.
Detection method	Select a log off method from PING or Registry database: PING : the SSO agent tests the accessibility of all hosts authenticated on the firewall every 60 seconds by default. If it gets a host unreachable response or no response is received from an IP address after the defined period, the SSO agent will send a logout request to the firewall. The firewall will then will delete the user associated with this IP address from its table of authenticated users, logging the user out of the firewall. Registry : the Registry database (BDR) is a database used by the Windows operating system to store information about the system’s configuration and installed software. This method makes it possible to detect a closed session on a host that is still running. If there is a positive response to the ping, the SSO agent will log in remotely to the host and check in the Registry database the list of users with a session open on the host. This makes it possible to update the firewall’s table of authenticated users.
Consider offline after		If a host does not respond to the ping after this period, it will be considered disconnected. The firewall will then delete the user associated with this host from its table of authenticated users. This duration defined in seconds, minutes or hours, is set by default to 5 minutes.
Disconnection detection	With this option, authenticated users can be deleted when an associated host logs off or when a session is shut down. This test to detect which hosts are connected to the firewall is carried out either by pinging or by the registry database method. If this method is not enabled, the user will only be disconnected after the defined authentication period, even if his session is shut down.

Enable DNS host lookup

With this option, you can manage changes to the IP addresses of user workstations and authenticate users who have logged in to hosts that have several IP addresses.

Ignored administration accounts

In the firewall’s factory configuration, there is a list of users whose authentication is ignored. These accounts list the usual logins dedicated to the administrator (Administrator and Administrateur by default).

This mechanism was set up because the domain controller treats the execution of a service or an application (Run as administrator feature, for example) as an authentication. As SN SSO Agent restricts authentication by IP address, this type of authentication may potentially replace the authentication of the user with an open Windows session.

The pre-set list of “Ignored Administrator accounts” allows SN SSO Agent to ignore their authentication. Edit it if necessary.