Filter
Top Products
User Management
1002
SonicOS 5.8.1 Administrator Guide
Single Sign-On Overview
This section provides an introduction to the SonicWALL SonicOS Enhanced Single Sign-On
feature. This section contains the following subsections:
• “What Is Single Sign-On?” on page 1002
• “Benefits of SonicWALL SSO” on page 1003
• “Platforms and Supported Standards” on page 1003
• “How Does Single Sign-On Work?” on page 1005
• “How Does SonicWALL SSO Agent Work?” on page 1008
• “How Does SonicWALL Terminal Services Agent Work?” on page 1011
• “How Does Browser NTLM Authentication Work?” on page 1013
What Is Single Sign-On?
Single Sign-On (SSO) is a transparent user authentication mechanism that provides privileged
access to multiple network resources with a single domain login to a workstation or through a
Windows Terminal Services or Citrix server.
SonicWALL security appliances provide SSO functionality using the SonicWALL Single Sign-
On Agent (SSO Agent) and SonicWALL Terminal Services Agent (TSA) to identify user activity.
The SonicWALL Single Sign-On Agent (SSO Agent) identifies users based on workstation IP
address. The SonicWALL TSA identifies users through a combination of server IP address,
user name, and domain.
SonicWALL SSO is also available for Mac and Linux users when used with Samba. Additionally,
browser NTLM authentication allows SonicWALL SSO to authenticate users who send HTTP
traffic, without involving the SonicWALL SSO Agent or Samba.
SonicWALL SSO is configured in the Users > Settings page of the SonicOS management
interface. SSO is separate from the Authentication method for login settings, which can be
used at the same time for authentication of VPN/L2TP client users or administrative users.
SonicWALL SSO Agent and TSA use a protocol compatible with SonicWALL ADConnector and
NDConnector, and automatically determine when a user has logged out to prevent
unauthorized access. Based on data from SonicWALL SSO Agent or TSA, the SonicWALL
security appliance queries LDAP or the local database to determine group membership.
Memberships are optionally checked by firewall policies to control who is given access, and can
be used in selecting policies for Content Filtering and Application Control to control what they
are allowed to access. User names learned via SSO are reported in logs of traffic and events
from the users, and in App Flow Monitoring.
The configured inactivity timer applies with SSO but the session limit does not, though users
who are logged out are automatically and transparently logged back in when they send further
traffic.
Users logged into a workstation or Terminal Services/Citrix server directly but not logged into
the domain will not be authenticated unless they send HTTP traffic and browser NTML
authentication is enabled (although they can optionally be authenticated for limited access). For
users that are not authenticated by SonicWALL SSO, a screen will display indicating that a
manual login to the appliance is required for further authentication.
Users that are identified but lack the group memberships required by the configured policy rules
are redirected to the Access Barred page.