What Is Single Sign-On?

Single Sign-On (SSO) is a transparent user authentication mechanism that provides privileged access to multiple network resources with a single domain login to a workstation or through a Windows Terminal Services or Citrix server.

SonicWall security appliances provide SSO functionality using the SonicWall Single Sign-On Agent (SSO Agent) and SonicWall Terminal Services Agent (TSA) to identify user activity. The SonicWall Single Sign-On Agent (SSO Agent) identifies users based on workstation IP address. The SonicWall TSA identifies users through a combination of server IP address, user name, and domain.

SonicWall SSO is also available for Mac and Linux users when used with Samba. Additionally, browser NTLM authentication allows SonicWall SSO to authenticate users who send HTTP traffic, without involving the SonicWall SSO Agent or Samba.

SonicWall SSO is configured in the Users > Settings page of the SonicOS management interface. SSO is separate from the Authentication method for login settings, which can be used at the same time for authentication of VPN/L2TP client users or administrative users.

SonicWall SSO Agent and TSA use a protocol compatible with SonicWall ADConnector and NDConnector, and automatically determine when a user has logged out to prevent unauthorized access. Based on data from SonicWall SSO Agent or TSA, the SonicWall security appliance queries LDAP or the local database to determine group membership. Memberships are optionally checked by firewall policies to control who is given access, and can be used in selecting policies for Content Filtering and Application Control to control what they are allowed to access. User names learned via SSO are reported in logs of traffic and events from the users, and in App Flow Monitoring.

The configured inactivity timer applies with SSO, but the session limit does not, though users who are logged out are automatically and transparently logged back in when they send further traffic.

Users logged into a workstation or Terminal Services/Citrix server directly, but not logged into the domain are not authenticated unless they send HTTP traffic and browser NTML authentication is enabled (although they can optionally be authenticated for limited access). For users that are not authenticated by SonicWall SSO, a screen displays indicating that a manual login to the appliance is required for further authentication.

Users that are identified but lack the group memberships required by the configured policy rules are redirected to the Access Barred page.

Topics:

Benefits of SonicWall SSO

SonicWall SSO is a reliable and time-saving feature that utilizes a single login to provide access to multiple network resources based on administrator-configured group memberships and policy matching. SonicWall SSO is transparent to end users and requires minimal administrator configuration.

By automatically determining when users have logged in or out based on workstation IP address traffic, or, for Terminal Services or Citrix, traffic from a particular user at the server IP address, SonicWall SSO is secure and hands-free. SSO authentication is designed to operate with any external agent that can return the identity of a user at a workstation or Terminal Services/Citrix server IP address using a SonicWall ADConnector-compatible protocol.

SonicWall SSO works for any service on the SonicWall security appliances that uses user-level authentication, including Content Filtering Service (CFS), Firewall Access Rules, group membership and inheritance, and security services (Application Control, IPS, GAV, and SPY) inclusion/exclusion lists.

Other benefits of SonicWall SSO include:

Platforms and Supported Standards

SonicWall SSO is available on SonicWall NSA Series appliances running SonicOS 5.0 or higher. The SonicWall SSO Agent is compatible with all versions of SonicOS that support SonicWall SSO. The SonicWall TSA is supported on SonicOS 5.6 and higher, running on SonicWall NSA Series and TZ 210 Series appliances.

The SonicWall SSO feature supports LDAP and local database protocols. SonicWall SSO supports SonicWall Directory Connector. SonicWall SSO can also interwork with ADConnector in an installation that includes a SonicWall CSM, but Directory Connector is recommended. For all features of SonicWall SSO to work properly, SonicOS 5.5 should be used with Directory Connector 3.1.7 or higher.

To use SonicWall SSO with Windows Terminal Services or Citrix, SonicOS 5.6 or higher is required, and SonicWall TSA must be installed on the server.

To use SonicWall SSO with browser NTLM authentication, SonicOS 5.8 or higher is required. The SonicWall SSO Agent is not required for browser NTLM authentication.

SonicWall SSO on SonicOS 5.5 and higher is compatible with SonicWall NDConnector for interoperability with Novell users. NDConnector is also available as part of Directory Connector.

Except when using only browser NTLM authentication, using SonicWall SSO requires that the SonicWall SSO Agent be installed on a server within your Windows domain that can reach clients and can be reached from the appliance, either directly or through a VPN path, and/or SonicWall TSA be installed on any terminal servers in the domain.

The SonicOS SSO feature is capable of working in Virtual Machine environments, but is not officially supported. This is due to the variety of potential resource consuming environments of VM deployments, making it not practicable to effectively test and verify all possible permutations.

The following requirements must be met in order to run the SSO Agent:

NOTE: Mac and Linux PCs do not support the Windows networking requests that are used by the SonicWall SSO Agent, and hence require Samba 3.5 or newer to work with SonicWall SSO. Without Samba, Mac and Linux users can still get access, but will need to log in to do so. They can be redirected to the login prompt if policy rules are set to require authentication. For more information, see Accommodating Mac and Linux Users.

The following requirements must be met in order to run the SonicWall TSA: