Integrate Active Directory For SSO Authentication

From Secure Web Gateway

Overview

In given example we are integrating an Active Directory for SSO authentication.

Your Active directory (AD) FQDN: ad.safesquid.test (You should get your AD FQDN from this location : AD ( Start > Control Panel > System > Full Computer name))

Your Active directory (AD) IP Address : 192.168.221.1

Domain of Active Directory (AD) : safesquid.test

Base Dn of AD : dc=safesquid,dc=test

User Name : administrator@safesquid.test (User name should be any user from AD having administrative permissions)

Monit service must be Up. Verify it using command :

root@sabproxy:~# pidof monit
19940

See more about Integrate LDAP section, here we explained the working of each field in the Integrate LDAP section. 

Prerequisites

Make sure that all the values (LDAP server FQDN, LDAP server IP, Username, password, base dn, domain ) while configuration are correct. If any value is inappropriate then SafeSquid will fail to fetch the entries.

Step 1 : Specify Name Server Addresses.  Follow Link

Step 2 : Specify Time Synchronization Server.  Follow Link
(Note: Time Synchronization of AD server and Proxy server should be same. Verify it using  "date" command)

Step 3 : Add DNS entry of  SafeSquid server in your Active Directory Server.  Follow Link

Step 4 : Make sure that your AD Domain must be resolvable from all clients and SafeSquid Server. For troubleshooting.   Follow Link

Once you complete all the above steps correctly then you are ready for SSO Configuration.

Access the SafeSquid User Interface

AD integration common1.png

 

 

Go to Application Setup

 

AD integration common2.png

 

 

Go to Integrate LDAP

 

AD integration common3.png

 

 

Ensure LDAP Section is enabled

 

AD integration common4.png

 

 

AD integration common5.png

 

 

AD integration common6.png

 

 

AD integration common7.png

 

 

Go to LDAP servers

 

AD integration common8.png

Creating new entry

 

AD integration common9.png

 

 

SSO Auth10.png

 

 

SSO Auth11.png

 

why?

In a network with multiple LDAP Servers, and multiple SafeSquid Proxy Servers deployed in Master-Slave mode, this field can be used to specify the Host Name of the Proxy Server, which will communicate with the LDAP Server configured.
Leave this field blank if this is the only SafeSquid proxy, or if you want all the proxies to communicate with the LDAP server configure.

SSO Auth12.png

 

 

 

 

SSO Auth13.png

 

 

SSO Auth14.png

 

 

SSO Auth15.png

 

You can use any user from Active Directory who is having Administrator permissions

 

SSO Auth16.png

 

 

SSO Auth17.png

 

 

SSO Auth18.png

 

 

SSO Auth19.png

 

 

SSO Auth20.png

 

 

SSO Auth21.png

 

 

SSO Auth22.png

Test User Extraction

Troubleshooting :

As soon as you Save policy by selecting NEGOTIATE_LDAP_AUTH 

kerberos.sh* script will automatically run from path /usr/local/safesquid/ui_root/cgi-bin

1.Verify below files at path:/usr/local/safesquid/security
 

HTTP.keytab
krb5.conf
krb.tkt


2. SafeSquid will create the stub zone for DNS resolution of your Active Directory server.

The file with stub zone will create with the name : safesquid.dns.conf

At path :

/usr/local/safesquid/security/dns

Run command:  cat safesquid.dns.conf

zone safesquid.test {
 type stub;
 masters {192.168.221.1;};
 };

Also it will automatically copy at given path:

/etc/bind/

Run command:  cat safesquid.dns.conf

zone safesquid.test {
 type stub;
 masters {192.168.221.1;};
 };

(Note: Monit service must be up.)

SSO Auth23.png

 

Step : Make sure that your AD Domain must be resolvable from all clients and SafeSquid Server.

For troubleshooting Follow Link

Simple auth23.png

Save Configuration

If you did not find any entries on LDAP Entries subsection, then validate whether all fields in LDAP servers subsection are correct or not.

If all fields are correct then

Find the error cause

Troubleshooting Steps

 

Simple auth24.png When you click on Save config, it will give a prompt for asking the confirmation to store your configuration  into the cloud. 
Select Yes only in below cases:
  •  If you want to use this same configuration in other SafeSquid instances.
  •  If your total configuration in all sections is completed and validated. 

Otherwise select No and click on submit button.

 

Enable SSO authentication for LDAP users

Read more about Testing your Kerberos SSO authentication setup