How does single sign-on work?
03/26/2020 53 17457
SonicWall SSO requires minimal administrator configuration and is a transparent to the user. There are six steps involved in SonicWall SSO authentication, as illustrated in figure below.
The SonicWall SSO authentication process is initiated when user traffic passes through a SonicWall security appliance, for example, when a user accesses the Internet. The sent packets are temporarily blocked and saved while the SonicWall security appliance sends a “User Name” request and workstation IP address to the authorization agent running the SSO Agent.
The authorization agent running the SSO Agent provides the SonicWall security appliance with the username currently logged into the workstation. A User IP Table entry is created for the logged in user, similar to RADIUS and LDAP.
Once a user has been identified, the SonicWall security appliance queries LDAP or a local database (based on administrator configuration) to find user group memberships, match the memberships against policy, and grant or restrict access to the user accordingly. Upon successful completion of the login sequence, the saved packets are sent on. If packets are received from the same source address before the sequence is completed, only the most recent packet will be saved.
User names are returned from the authorization agent running the SSO Agent in the format <domain>/<user-name>. For locally configured user groups, the user name can be configured to be the full name returned from the authorization agent running the SSO Agent (configuring the names in the SonicWall security appliance local user database to match) or a simple user name with the domain component stripped off (default).
For the LDAP protocol, the <domain>/<user-name> format is converted to an LDAP distinguished name by creating an LDAP search for an object of class “domain” with a “dc” (domain component) attribute that matches the domain name. If one is found, then its distinguished name will be used as the directory sub-tree to search for the user’s object. For example, if the user name is returned as “SV/bob” then a search for an object with “objectClass=domain” and “dc=SV” will be performed. If that returns an object with distinguished name “dc=sv,dc=us,dc=SonicWall,dc=com,” then a search under that directory sub-tree will be created for (in the Active Directory case) an object with “objectClass=user” and
“sAMAccountName=bob”. If no domain object is found, then the search for the user object will be made from the top of the directory tree.
Once a domain object has been found, the information is saved to avoid searching for the same object. If an attempt to locate a user in a saved domain fails, the saved domain information will be deleted and another search for the domain object will be made.
The SonicWall security appliance polls the authorization agent running the SSO Agent at a configurable rate to determine when a user has logged out. Configurable user session limits, inactivity timers, and user name request polls are other methods to determine user logout status. Upon user logout, the authentication agent running the SSO Agent sends a User Logged Out response to the SonicWall security appliance, confirming the user has been logged out and terminating the SSO session.