Integrate Active Directory For SSO Authentication

From Secure Web Gateway


In given example we are integrating an Active Directory for SSO authentication.

Your Active directory (AD) FQDN: ad.safesquid.test (You should get your AD FQDN from this location : AD ( Start > Control Panel > System > Full Computer name))

Your Active directory (AD) IP Address :

Domain of Active Directory (AD) : safesquid.test

Base Dn of AD : dc=safesquid,dc=test

User Name : administrator@safesquid.test (User name should be any user from AD having administrative permissions)

Monit service must be Up. Verify it using command :

root@sabproxy:~# pidof monit

See more about Integrate LDAP section, here we explained the working of each field in the Integrate LDAP section. 


Make sure that all the values (LDAP server FQDN, LDAP server IP, Username, password, base dn, domain ) while configuration are correct. If any value is inappropriate then SafeSquid will fail to fetch the entries.

Step 1 : Specify Name Server Addresses.  Follow Link

Step 2 : Specify Time Synchronization Server.  Follow Link
(Note: Time Synchronization of AD server and Proxy server should be same. Verify it using  "date" command)

Step 3 : Add DNS entry of  SafeSquid server in your Active Directory Server.  Follow Link

Step 4 : Make sure that your AD Domain must be resolvable from all clients and SafeSquid Server. For troubleshooting.   Follow Link

Once you complete all the above steps correctly then you are ready for SSO Configuration.

Access the SafeSquid User Interface

AD integration common1.png



Go to Application Setup


AD integration common2.png



Go to Integrate LDAP


AD integration common3.png



Ensure LDAP Section is enabled


AD integration common4.png



AD integration common5.png



AD integration common6.png



AD integration common7.png



Go to LDAP servers


AD integration common8.png

Creating new entry


AD integration common9.png



SSO Auth10.png



SSO Auth11.png



In a network with multiple LDAP Servers, and multiple SafeSquid Proxy Servers deployed in Master-Slave mode, this field can be used to specify the Host Name of the Proxy Server, which will communicate with the LDAP Server configured.
Leave this field blank if this is the only SafeSquid proxy, or if you want all the proxies to communicate with the LDAP server configure.

SSO Auth12.png





SSO Auth13.png



SSO Auth14.png



SSO Auth15.png


You can use any user from Active Directory who is having Administrator permissions


SSO Auth16.png



SSO Auth17.png



SSO Auth18.png



SSO Auth19.png



SSO Auth20.png



SSO Auth21.png



SSO Auth22.png

Test User Extraction

Troubleshooting :

As soon as you Save policy by selecting NEGOTIATE_LDAP_AUTH* script will automatically run from path /usr/local/safesquid/ui_root/cgi-bin

1.Verify below files at path:/usr/local/safesquid/security


2. SafeSquid will create the stub zone for DNS resolution of your Active Directory server.

The file with stub zone will create with the name : safesquid.dns.conf

At path :


Run command:  cat safesquid.dns.conf

zone safesquid.test {
 type stub;
 masters {;};

Also it will automatically copy at given path:


Run command:  cat safesquid.dns.conf

zone safesquid.test {
 type stub;
 masters {;};

(Note: Monit service must be up.)

SSO Auth23.png


Step : Make sure that your AD Domain must be resolvable from all clients and SafeSquid Server.

For troubleshooting Follow Link

Simple auth23.png

Save Configuration

If you did not find any entries on LDAP Entries subsection, then validate whether all fields in LDAP servers subsection are correct or not.

If all fields are correct then

Find the error cause

Troubleshooting Steps


Simple auth24.png When you click on Save config, it will give a prompt for asking the confirmation to store your configuration  into the cloud. 
Select Yes only in below cases:
  •  If you want to use this same configuration in other SafeSquid instances.
  •  If your total configuration in all sections is completed and validated. 

Otherwise select No and click on submit button.


Enable SSO authentication for LDAP users

Read more about Testing your Kerberos SSO authentication setup