How can I configure Single Sign-On on SonicWall firewall?

10/14/2021 2,102 People found this article helpful 505,008 Views

Description

Configuring SSO is a process that includes the following steps

Installing the SonicWall SSO Agent software on a workstation and/or the SonicWall Terminal Services Agent (TSA).
And configuring a SonicWall security appliance running SonicOS Enhanced (Users | Settings page) to use the SSO Agent or TSA.

Resolution

Resolution for SonicOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

Login to your SonicWall security appliance.
Navigate to DEVICE | Users | Settings.
In the Single-sign-on method select SonicWall SSO Agent.
Click Configure SSO button.Click ADD under SSO Agents.
In the Name or IP Address field, enter the name or IP Address of the workstation on which SonicWall SSO Agent is installed.
In Port, enter the port number of the workstation on which SonicWall SSO Agent is installed. The default port is 2258.
In the Shared Key field, enter the shared key that you created or generated in the SonicWall SSO Agent. The shared key must match exactly. Re-enter the shared key in the Confirm Shared Key field.
In the Timeout (seconds) field, enter a number of seconds before the authentication attempt times out.
In the Retries field, enter the number of authentication attempts.
Click Save
Click Users tab. The User Settings page displays.
Check the box next to Allow only users listed locally to allow only users listed locally to be authenticated.
Check the box next to Simple user names in local database to use simple user names. This setting ignores the domain component of a user name. If this box is not checked, user names in the local database must match exactly the full names returned from the agent, including the domain component.
Check the box next to Allow limited access for non-domain users to allow limited access to users who are logged in to a computer but not into a domain. These users will not be given access to the Trusted Users user group. They are identified in logs as computer-name/user-name. When performing local and the Simple user names in local database option is disabled, user names must be configured in the local database using the full computer-name/user-name identification.
To use LDAP to retrieve user information, select the Use LDAP to retrieve user group information radio button. Click Configure to configure the LDAP settings. The LDAP Configuration page displays.
To use local configuration, select the Local configuration radio button.
In the Polling rate (minutes) field, enter a polling interval, in minutes, that the security appliance will poll the workstation running SSO Agent to verify that users are still logged on.
In the Hold time after (minutes) field, enter a time, in minutes, that the security appliance will wait before trying again to identify traffic after an initial failure to do so. This feature rate-limits requests to the agent.
Click on the Content Filter tab if you are using the SonicWall Content Filtering Service (CFS) and there is a proxy server in your network.
Click Save

NOTE: The Content Filter tab is only displayed if Premium CFS is enabled on the SonicWall security appliance.

To bypass SSO for content filtering traffic and apply the default content filtering policy to the traffic, select the appropriate address object or address group from the pulldown menu.

NOTE: This setting should be used where traffic that would be subject to content filtering can emanate from a device other than a user's workstation (such as an internal proxy web server). It prevents the SonicWall from attempting to identify such a device as a network user in order to select the content filtering policy to apply. The default content filtering policy will be used for all traffic from the selected IP addresses.
Click the Test tab. The Test Authentication Agent Settings page displays.
Select the Check agent connectivity radio button then click the Test button. This will test communication with the authentication agent. If the SonicWall security appliance can connect to the agent, you will see the message Agent is ready.
Select the Check user radio button, enter the IP address of a workstation in the Workstation IP address field, then click Test. This will test if the agent is property configured to identify the user logged into a workstation.

NOTE: Performing tests on this page applies any changes that have been made.

TIP: If you receive the messages Agent is not responding or Configuration error, check your settings and perform these tests again.

Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

Login to your SonicWall security appliance.
Navigate to MANAGE | Users | Settings.
In the Single-Sign-On Method Enable SSO Agent.
Click Configure SSO button.Click ADD under SSO Agents.
In the Name or IP Address field, enter the name or IP Address of the workstation on which SonicWall SSO Agent is installed.
In Port, enter the port number of the workstation on which SonicWall SSO Agent is installed. The default port is 2258.
In the Shared Key field, enter the shared key that you created or generated in the SonicWall SSO Agent. The shared key must match exactly. Re-enter the shared key in the Confirm Shared Key field.
In the Timeout (seconds) field, enter a number of seconds before the authentication attempt times out.
In the Retries field, enter the number of authentication attempts.
Click Users tab. The User Settings page displays.
Check the box next to Allow only users listed locally to allow only users listed locally to be authenticated.
Check the box next to Simple user names in local database to use simple user names. This setting ignores the domain component of a user name. If this box is not checked, user names in the local database must match exactly the full names returned from the agent, including the domain component.
Check the box next to Allow limited access for non-domain users to allow limited access to users who are logged in to a computer but not into a domain. These users will not be given access to the Trusted Users user group. They are identified in logs as computer-name/user-name. When performing local and the Simple user names in local database option is disabled, user names must be configured in the local database using the full computer-name/user-name identification.
To use LDAP to retrieve user information, select the Use LDAP to retrieve user group information radio button. Click Configure to configure the LDAP settings. The LDAP Configuration page displays.
To use local configuration, select the Local configuration radio button.
In the Polling rate (minutes) field, enter a polling interval, in minutes, that the security appliance will poll the workstation running SSO Agent to verify that users are still logged on.
In the Hold time after (minutes) field, enter a time, in minutes, that the security appliance will wait before trying again to identify traffic after an initial failure to do so. This feature rate-limits requests to the agent.
Click on the Content Filter tab if you are using the SonicWall Content Filtering Service (CFS) and there is a proxy server in your network.
NOTE: The Content Filter tab is only displayed if Premium CFS is enabled on the SonicWall security appliance.
To bypass SSO for content filtering traffic and apply the default content filtering policy to the traffic, select the appropriate address object or address group from the pulldown menu.

NOTE: This setting should be used where traffic that would be subject to content filtering can emanate from a device other than a user's workstation (such as an internal proxy web server). It prevents the SonicWall from attempting to identify such a device as a network user in order to select the content filtering policy to apply. The default content filtering policy will be used for all traffic from the selected IP addresses.
Click the Test tab. The Test Authentication Agent Settings page displays.
Select the Check agent connectivity radio button then click the Test button. This will test communication with the authentication agent. If the SonicWall security appliance can connect to the agent, you will see the message Agent is ready.
Select the Check user radio button, enter the IP address of a workstation in the Workstation IP address field, then click Test. This will test if the agent is property configured to identify the user logged into a workstation.
NOTE: Performing tests on this page applies any changes that have been made.

TIP: If you receive the messages Agent is not responding or Configuration error, check your settings and perform these tests again.
When you are finished, click OK.