How to Force User Login when SSO fails with CFS, IPS, App Rules, etc.

03/26/2020 25 People found this article helpful 484,591 Views

Description

This article describes the method to make the SonicWall prompt for username and password when Single Sign On (SSO) fails with CFS, IPS, App Rules, etc.

If there are multiple CFS policies, or if IPS, App Rules, App Control, Anti-Spyware or DPI-SSL have policies that are set to include/exclude certain users/user groups, then SSO is initiated to identify users. And in this case if SSO fails to identify a user, the user is still given access but with the default CFS policy or with the IPS policy, App Rule etc. not applied. But what if you instead want a different action so all users must be authenticated before they are allowed out, and on SSO failure users are to be forced to log in via web login before being given access?

To achieve that requires using access rules in conjunction with the above services.

Resolution

Set an access rule that requires users to be authenticated. This rule will initiate SSO. If SSO fails to identify the user they are blocked and, in the case of HTTP, redirected to the login page.

That can be done in two ways:

Option 1: Change Users Allowed in the default LAN -> WAN rule to Everyone or Trusted Users. Then add rules to allow out traffic that you do not want to be blocked for unidentified users (maybe DNS, Email, ...) with Users Allowed set to All.

Option 2: Leave the default LAN -> WAN rule allowing All users. Add a rule to allow HTTP and HTTPS from addresses Any to Any, with Users Allowed set to Everyone or Trusted Users. You can also include other services along with HTTP/HTTPS if you don't want them to be used by unauthenticated users.