Difference between revisions of "Integrate Active Directory For SSO Authentication"

From Secure Web Gateway
Share/Save/Bookmark
Jump to: navigation, search
 
(One intermediate revision by the same user not shown)
Line 4: Line 4:
 
In given example we are integrating an Active Directory for SSO authentication.
 
In given example we are integrating an Active Directory for SSO authentication.
  
'''Your Active directory''' '''(AD''''')'''FQDN'''''<b>: </b>ad.safesquid.test (You should get your AD FQDN from this location&nbsp;: AD ( Start > Control Panel > System > Full Computer name))
+
'''Your Active directory''' '''(AD''''')''&nbsp;'''FQDN: '''ad.safesquid.test (You should get your AD FQDN from this location&nbsp;: AD ( Start > Control Panel > System > Full Computer name))
  
 
'''Your Active directory''' '''(AD''''') ''I'''P Address&nbsp;:&nbsp;'''192.168.221.1
 
'''Your Active directory''' '''(AD''''') ''I'''P Address&nbsp;:&nbsp;'''192.168.221.1
Line 24: Line 24:
  
 
See more about&nbsp;[http://2017.swg.safesquid.com/index.php/Integrate_LDAP Integrate LDAP]&nbsp;section, here we explained the working of each field in the Integrate LDAP section.&nbsp;
 
See more about&nbsp;[http://2017.swg.safesquid.com/index.php/Integrate_LDAP Integrate LDAP]&nbsp;section, here we explained the working of each field in the Integrate LDAP section.&nbsp;
 
&nbsp;
 
  
 
= Prerequisites =
 
= Prerequisites =
Line 179: Line 177:
  
 
| style="width: 149px" |  
 
| style="width: 149px" |  
You can use any user from '''Active Directory''' who is having'''Administrator permissions'''
+
You can use any user from '''Active Directory''' who is having&nbsp;'''Administrator permissions'''
  
 
&nbsp;
 
&nbsp;
Line 236: Line 234:
 
As soon as you Save policy by selecting NEGOTIATE_LDAP_AUTH&nbsp;
 
As soon as you Save policy by selecting NEGOTIATE_LDAP_AUTH&nbsp;
  
'''kerberos.sh*''' script will automatically run from path '''/usr/local/safesquid/ui_root/cgi-bin'''
+
'''kerberos.sh*''' script will automatically run from path <code>'''/usr/local/safesquid/ui_root/cgi-bin'''</code>
  
1.Verify below files at path:'''/usr/local/safesquid/security'''<br/> &nbsp;
+
1.Verify below files at path:<code>'''/usr/local/safesquid/security'''</code><br/> &nbsp;
  
'''HTTP.keytab<br/> krb5.conf<br/> krb.tkt'''
+
'''<code>HTTP.keytab</code><br/> <code>krb5.conf</code><br/> <code>krb.tkt</code>'''
  
<br/> 2.SafeSquid will create the stub zone for DNS resolution of your Active Directory server.
+
<br/> 2. SafeSquid will create the stub zone for DNS resolution of your Active Directory server.
  
 
The file with stub zone will create with the name&nbsp;: '''safesquid.dns.conf'''
 
The file with stub zone will create with the name&nbsp;: '''safesquid.dns.conf'''
Line 248: Line 246:
 
At path&nbsp;:
 
At path&nbsp;:
  
'''/usr/local/safesquid/security/dns'''
+
<code>'''/usr/local/safesquid/security/dns'''</code>
  
Run command:'''&nbsp; cat safesquid.dns.conf'''
+
Run command:'''&nbsp; <code>cat safesquid.dns.conf</code>'''
  
 
zone safesquid.test {<br/> &nbsp;type stub;<br/> &nbsp;masters {192.168.221.1;};<br/> &nbsp;};
 
zone safesquid.test {<br/> &nbsp;type stub;<br/> &nbsp;masters {192.168.221.1;};<br/> &nbsp;};
Line 256: Line 254:
 
Also it will automatically copy at given path:
 
Also it will automatically copy at given path:
  
'''/etc/bind/'''
+
<code>'''/etc/bind/'''</code>
  
'''Run command:&nbsp; cat safesquid.dns.conf'''
+
'''Run command:&nbsp; <code>cat safesquid.dns.conf</code>'''
  
 
zone safesquid.test {<br/> &nbsp;type stub;<br/> &nbsp;masters {192.168.221.1;};<br/> &nbsp;};
 
zone safesquid.test {<br/> &nbsp;type stub;<br/> &nbsp;masters {192.168.221.1;};<br/> &nbsp;};
Line 282: Line 280:
  
 
| style="width: 149px" |  
 
| style="width: 149px" |  
If you did not find any entries here,
+
If you did not find any entries on LDAP Entries subsection, then validate whether all fields in LDAP servers subsection&nbsp;are correct or not.
 
 
Validate all values&nbsp;mentioned&nbsp;are correct or not.
 
  
If all values are correct then
+
If all fields&nbsp;are correct then
  
 
Find the error cause
 
Find the error cause
Line 297: Line 293:
 
| style="width: 994px" | [[File:Simple auth24.png|Simple auth24.png|link=]]
 
| style="width: 994px" | [[File:Simple auth24.png|Simple auth24.png|link=]]
 
| style="width: 149px" | '''When you click on Save config, it will give a prompt for asking the confirmation to store your configuration &nbsp;into the cloud.&nbsp;<br/> Select Yes only in below cases:'''  
 
| style="width: 149px" | '''When you click on Save config, it will give a prompt for asking the confirmation to store your configuration &nbsp;into the cloud.&nbsp;<br/> Select Yes only in below cases:'''  
*'''&nbsp;if you want to use this same configuration in other SafeSquid instances.'''  
+
*'''&nbsp;If you want to use this same configuration in other SafeSquid instances.'''  
*'''&nbsp;if your total configuration in all sections is completed and validated.&nbsp;'''  
+
*'''&nbsp;If your total configuration in all sections is completed and validated.&nbsp;'''  
  
'''Otherwise select No and click on submit'''
+
'''Otherwise select No and click on submit button.'''
  
 
&nbsp;
 
&nbsp;

Latest revision as of 15:32, 3 December 2019

Overview

In given example we are integrating an Active Directory for SSO authentication.

Your Active directory (AD) FQDN: ad.safesquid.test (You should get your AD FQDN from this location : AD ( Start > Control Panel > System > Full Computer name))

Your Active directory (AD) IP Address : 192.168.221.1

Domain of Active Directory (AD) : safesquid.test

Base Dn of AD : dc=safesquid,dc=test

User Name : administrator@safesquid.test (User name should be any user from AD having administrative permissions)

Monit service must be Up. Verify it using command :

root@sabproxy:~# pidof monit
19940

See more about Integrate LDAP section, here we explained the working of each field in the Integrate LDAP section. 

Prerequisites

Make sure that all the values (LDAP server FQDN, LDAP server IP, Username, password, base dn, domain ) while configuration are correct. If any value is inappropriate then SafeSquid will fail to fetch the entries.

Step 1 : Specify Name Server Addresses.  Follow Link

Step 2 : Specify Time Synchronization Server.  Follow Link
(Note: Time Synchronization of AD server and Proxy server should be same. Verify it using  "date" command)

Step 3 : Add DNS entry of  SafeSquid server in your Active Directory Server.  Follow Link

Step 4 : Make sure that your AD Domain must be resolvable from all clients and SafeSquid Server. For troubleshooting.   Follow Link

Once you complete all the above steps correctly then you are ready for SSO Configuration.

Access the SafeSquid User Interface

AD integration common1.png

 

 

Go to Application Setup

 

AD integration common2.png

 

 

Go to Integrate LDAP

 

AD integration common3.png

 

 

Ensure LDAP Section is enabled

 

AD integration common4.png

 

 

AD integration common5.png

 

 

AD integration common6.png

 

 

AD integration common7.png

 

 

Go to LDAP servers

 

AD integration common8.png

Creating new entry

 

AD integration common9.png

 

 

SSO Auth10.png

 

 

SSO Auth11.png

 

why?

In a network with multiple LDAP Servers, and multiple SafeSquid Proxy Servers deployed in Master-Slave mode, this field can be used to specify the Host Name of the Proxy Server, which will communicate with the LDAP Server configured.
Leave this field blank if this is the only SafeSquid proxy, or if you want all the proxies to communicate with the LDAP server configure.

SSO Auth12.png

 

 

 

 

SSO Auth13.png

 

 

SSO Auth14.png

 

 

SSO Auth15.png

 

You can use any user from Active Directory who is having Administrator permissions

 

SSO Auth16.png

 

 

SSO Auth17.png

 

 

SSO Auth18.png

 

 

SSO Auth19.png

 

 

SSO Auth20.png

 

 

SSO Auth21.png

 

 

SSO Auth22.png

Test User Extraction

Troubleshooting :

As soon as you Save policy by selecting NEGOTIATE_LDAP_AUTH 

kerberos.sh* script will automatically run from path /usr/local/safesquid/ui_root/cgi-bin

1.Verify below files at path:/usr/local/safesquid/security
 

HTTP.keytab
krb5.conf
krb.tkt


2. SafeSquid will create the stub zone for DNS resolution of your Active Directory server.

The file with stub zone will create with the name : safesquid.dns.conf

At path :

/usr/local/safesquid/security/dns

Run command:  cat safesquid.dns.conf

zone safesquid.test {
 type stub;
 masters {192.168.221.1;};
 };

Also it will automatically copy at given path:

/etc/bind/

Run command:  cat safesquid.dns.conf

zone safesquid.test {
 type stub;
 masters {192.168.221.1;};
 };

(Note: Monit service must be up.)

SSO Auth23.png

 

Step : Make sure that your AD Domain must be resolvable from all clients and SafeSquid Server.

For troubleshooting Follow Link

Simple auth23.png

Save Configuration

If you did not find any entries on LDAP Entries subsection, then validate whether all fields in LDAP servers subsection are correct or not.

If all fields are correct then

Find the error cause

Troubleshooting Steps

 

Simple auth24.png When you click on Save config, it will give a prompt for asking the confirmation to store your configuration  into the cloud. 
Select Yes only in below cases:
  •  If you want to use this same configuration in other SafeSquid instances.
  •  If your total configuration in all sections is completed and validated. 

Otherwise select No and click on submit button.

 

Enable SSO authentication for LDAP users

Read more about Testing your Kerberos SSO authentication setup