Difference between revisions of "Testing your Kerberos SSO authentication setup"

From Secure Web Gateway
Share/Save/Bookmark
Jump to: navigation, search
 
Line 1: Line 1:
  
 
+
 
  
 
= Configure Authentication in SafeSquid’s Access Restrictions =
 
= Configure Authentication in SafeSquid’s Access Restrictions =
  
SafeSquid’s policy configurations are managed by it’s WebGUI. We can access the WebGUI from any system authorized, as per it’s Access Restrictions configuration section (by default ALL are allowed). To ensure that we do not get locked out, we will in the following steps configure the Access Restrictions section of SafeSquid to enable the SSO authentication, and then to  enable authentication for only our Test Client '''windows7.safesquid.test  (My client machine).''' You may choose'''AD browser''' for testing purpose.
+
SafeSquid’s WebGUI is used to create/modify policy configuration. We can access the WebGUI from any authorized system, depending on Access Restrictions configuration section (by default ALL are allowed). To ensure that we do not get locked up, we will in the following steps configure the Access Restrictions section of SafeSquid to enable the SSO authentication, and then to enable authentication for only our Test Client '''windows7.safesquid.test (My client machine).''' You may choose '''AD browser''' for testing purpose.
  
My Test Client machine : '''windows7.safesquid.test  (Connect in your domain and should able to resolve. Verify time synchronization)'''
+
My Test Client machine : '''windows7.safesquid.test (Connect in your domain and should able to resolve. Verify time synchronization)'''
  
 
'''We already done '''[https://docs.safesquid.com/wiki/Validate_IP_addresses_and_the_systems_are_reachable_on_the_network#Getting_Started_-_The_Preparatory_StepsPreparatory%20Steps <span class="mw-headline" id="Getting_Started_-_The_Preparatory_Steps">Preparatory Steps (Verify it once before setting proxy)</span>]
 
'''We already done '''[https://docs.safesquid.com/wiki/Validate_IP_addresses_and_the_systems_are_reachable_on_the_network#Getting_Started_-_The_Preparatory_StepsPreparatory%20Steps <span class="mw-headline" id="Getting_Started_-_The_Preparatory_Steps">Preparatory Steps (Verify it once before setting proxy)</span>]
Line 12: Line 12:
 
#Configure your Internet browser to use '''sabproxy.safesquid.test&nbsp;: <port_usually_8080>''' as your proxy server.  
 
#Configure your Internet browser to use '''sabproxy.safesquid.test&nbsp;: <port_usually_8080>''' as your proxy server.  
  
Note:&nbsp; You should NOT be using the'''<IP address>&nbsp;: <port>''' format now. Always use '''FQDN of Proxy Server'''
+
'''Note:'''&nbsp; You should NOT be using the&nbsp;'''<IP address>&nbsp;: <port>''' format now. Always use '''FQDN of Proxy Server'''
  
{| style="width: 100%" cellspacing="1" cellpadding="1" border="0"
+
{| border="0" cellpadding="1" cellspacing="1" style="width: 100%"
 
|-
 
|-
 
| style="width: 1008px" | [[File:SSOproxy.PNG|border|center|SSOproxy.PNG|link=]]
 
| style="width: 1008px" | [[File:SSOproxy.PNG|border|center|SSOproxy.PNG|link=]]
Line 20: Line 20:
 
|}
 
|}
  
= [http://2017.swg.safesquid.com/index.php/Access_The_SafeSquid_User_Interface Access the SafeSquid User Interface] . =
+
= [http://2017.swg.safesquid.com/index.php/Access_The_SafeSquid_User_Interface Access the SafeSquid User Interface] =
  
 
= Go to Configure Page =
 
= Go to Configure Page =
  
{| style="width: 100%" cellspacing="1" cellpadding="1" border="0"
+
{| border="0" cellpadding="1" cellspacing="1" style="width: 100%"
 
|-
 
|-
 
| style="width: 1035px" | [[File:Go to configure page.png|Go to configure page.png|link=]]
 
| style="width: 1035px" | [[File:Go to configure page.png|Go to configure page.png|link=]]
Line 58: Line 58:
 
|}
 
|}
  
{| style="width: 100%" cellspacing="1" cellpadding="1" border="0"
+
{| border="0" cellpadding="1" cellspacing="1" style="width: 100%"
 
|-
 
|-
 
| style="width: 1039px" |  
 
| style="width: 1039px" |  
Line 65: Line 65:
 
To [[Avoid_Locking_Yourself_When_You_Are_Configuring_Policies_In_Access_Restrictions|avoid locking yourself to the SafeSquid User Interface]].
 
To [[Avoid_Locking_Yourself_When_You_Are_Configuring_Policies_In_Access_Restrictions|avoid locking yourself to the SafeSquid User Interface]].
  
'''See the working of each default Entry&nbsp;&nbsp;[http://2017.swg.safesquid.com/index.php/Working_of_Default_Entries_in_Access_Restrictions here]'''
+
'''See the working of each default Entry&nbsp;[http://2017.swg.safesquid.com/index.php/Working_of_Default_Entries_in_Access_Restrictions here]'''
 
</div>  
 
</div>  
 
| style="width: 225px" | &nbsp;
 
| style="width: 225px" | &nbsp;
Line 86: Line 86:
 
|}
 
|}
  
{| style="width: 100%" cellspacing="1" cellpadding="1" border="0"
+
{| border="0" cellpadding="1" cellspacing="1" style="width: 100%"
 
|-
 
|-
 
| style="width: 1038px" |  
 
| style="width: 1038px" |  
If your LDAP server is not integrated then you will not see any users list in the drop down menu
+
'''Note:''' If your LDAP server is not integrated then you will not see any users list in the drop down menu.
  
 
[[File:Creating user groups based on LDAP11.png|Creating user groups based on LDAP11.png|link=]]
 
[[File:Creating user groups based on LDAP11.png|Creating user groups based on LDAP11.png|link=]]
  
Here I am selecting the manager group from my AD so this policy will only applicable for the users from this group (manager group) .
+
Here I am selecting the manager group from my AD so this policy will only applicable for the users from this group (manager group).
  
If you want to apply for all the users the keep this entry blank.
+
If you want to apply rule for all the users, then keep this entry blank.
  
 
| style="width: 226px" | &nbsp;
 
| style="width: 226px" | &nbsp;
Line 112: Line 112:
 
|}
 
|}
  
#Access the internet, confirm that you can access the web the way should be.&nbsp; ('''It should not ask you for authentication prompt)'''  
+
#Access the internet, confirm that you can access the web the way should be.&nbsp;'''(''''''It should not ask you for authentication prompt)'''  
#Take a look at the output of the'''tail command '''that you had earlier left running on the Linux console.  
+
#Take a look at the output of the&nbsp;'''tail command '''that you had earlier left running on the Linux console.  
  
You should be able to see request from the user that had logged into the'''windows7.safesquid.test'''&nbsp; system and the user should be getting identified as <username>@<SAFESQUID.TEST>@ 192.168.221.212
+
You will&nbsp;see request from the user that had logged into the&nbsp;'''windows7.safesquid.test'''&nbsp;system and the user should be getting identified as <username>@<SAFESQUID.TEST>@ 192.168.221.212
  
On the console leave this tail command running
+
On the console leave this tail command running.
  
tail -f /opt/safesquid/safesquid/logs/extended/extended.log
+
<code>tail -f /opt/safesquid/safesquid/logs/extended/extended.log</code>
  
 
Here we will be validating the SSO authentication, and the log lines here will reveal the success of our undertaken steps.
 
Here we will be validating the SSO authentication, and the log lines here will reveal the success of our undertaken steps.

Latest revision as of 17:49, 2 December 2019

 

Configure Authentication in SafeSquid’s Access Restrictions

SafeSquid’s WebGUI is used to create/modify policy configuration. We can access the WebGUI from any authorized system, depending on Access Restrictions configuration section (by default ALL are allowed). To ensure that we do not get locked up, we will in the following steps configure the Access Restrictions section of SafeSquid to enable the SSO authentication, and then to enable authentication for only our Test Client windows7.safesquid.test (My client machine). You may choose AD browser for testing purpose.

My Test Client machine : windows7.safesquid.test (Connect in your domain and should able to resolve. Verify time synchronization)

We already done Preparatory Steps (Verify it once before setting proxy)

  1. Configure your Internet browser to use sabproxy.safesquid.test : <port_usually_8080> as your proxy server.

Note:  You should NOT be using the <IP address> : <port> format now. Always use FQDN of Proxy Server

SSOproxy.PNG
 

Access the SafeSquid User Interface

Go to Configure Page

Go to configure page.png  

Go to Application Setup

Creating user groups based on LDAP3.png

 

Go to Access Restrictions

Creating user groups based on LDAP4.png

 

Enable SSO Authentication

Creating user groups based on LDAP5.png

 

Go to Allow list

Creating user groups based on LDAP6.png

 

Change the order of Default entries

To avoid locking yourself to the SafeSquid User Interface.

See the working of each default Entry here

 
Creating user groups based on LDAP7.png  

Add LDAP users

Creating user groups based on LDAP8.png

 
Creating user groups based on LDAP9.png  
Creating user groups based on LDAP10.png  

Note: If your LDAP server is not integrated then you will not see any users list in the drop down menu.

Creating user groups based on LDAP11.png

Here I am selecting the manager group from my AD so this policy will only applicable for the users from this group (manager group).

If you want to apply rule for all the users, then keep this entry blank.

 
Creating user groups based on LDAP12.png  
Creating user groups based on LDAP13.png  
Creating user groups based on LDAP14.png  
Creating user groups based on LDAP17.png  
  1. Access the internet, confirm that you can access the web the way should be. '('It should not ask you for authentication prompt)
  2. Take a look at the output of the tail command that you had earlier left running on the Linux console.

You will see request from the user that had logged into the windows7.safesquid.test system and the user should be getting identified as <username>@<SAFESQUID.TEST>@ 192.168.221.212

On the console leave this tail command running.

tail -f /opt/safesquid/safesquid/logs/extended/extended.log

Here we will be validating the SSO authentication, and the log lines here will reveal the success of our undertaken steps.

If you can confirm that, Hurrah you are done!

To enable Windows Integrated authentication for the rest of your enterprise, modify the entry you created in the Access Restrictions for IP 192.168.221.212  and simply leave the IP address field blank.