Testing your Kerberos SSO authentication setup

From Secure Web Gateway

 

Configure Authentication in SafeSquid’s Access Restrictions

SafeSquid’s WebGUI is used to create/modify policy configuration. We can access the WebGUI from any authorized system, depending on Access Restrictions configuration section (by default ALL are allowed). To ensure that we do not get locked up, we will in the following steps configure the Access Restrictions section of SafeSquid to enable the SSO authentication, and then to enable authentication for only our Test Client windows7.safesquid.test (My client machine). You may choose AD browser for testing purpose.

My Test Client machine : windows7.safesquid.test (Connect in your domain and should able to resolve. Verify time synchronization)

We already done Preparatory Steps (Verify it once before setting proxy)

  1. Configure your Internet browser to use sabproxy.safesquid.test : <port_usually_8080> as your proxy server.

Note:  You should NOT be using the <IP address> : <port> format now. Always use FQDN of Proxy Server

SSOproxy.PNG
 

Access the SafeSquid User Interface

Go to Configure Page

Go to configure page.png  

Go to Application Setup

Creating user groups based on LDAP3.png

 

Go to Access Restrictions

Creating user groups based on LDAP4.png

 

Enable SSO Authentication

Creating user groups based on LDAP5.png

 

Go to Allow list

Creating user groups based on LDAP6.png

 

Change the order of Default entries

To avoid locking yourself to the SafeSquid User Interface.

See the working of each default Entry here

 
Creating user groups based on LDAP7.png  

Add LDAP users

Creating user groups based on LDAP8.png

 
Creating user groups based on LDAP9.png  
Creating user groups based on LDAP10.png  

Note: If your LDAP server is not integrated then you will not see any users list in the drop down menu.

Creating user groups based on LDAP11.png

Here I am selecting the manager group from my AD so this policy will only applicable for the users from this group (manager group).

If you want to apply rule for all the users, then keep this entry blank.

 
Creating user groups based on LDAP12.png  
Creating user groups based on LDAP13.png  
Creating user groups based on LDAP14.png  
Creating user groups based on LDAP17.png  
  1. Access the internet, confirm that you can access the web the way should be. '('It should not ask you for authentication prompt)
  2. Take a look at the output of the tail command that you had earlier left running on the Linux console.

You will see request from the user that had logged into the windows7.safesquid.test system and the user should be getting identified as <username>@<SAFESQUID.TEST>@ 192.168.221.212

On the console leave this tail command running.

tail -f /opt/safesquid/safesquid/logs/extended/extended.log

Here we will be validating the SSO authentication, and the log lines here will reveal the success of our undertaken steps.

If you can confirm that, Hurrah you are done!

To enable Windows Integrated authentication for the rest of your enterprise, modify the entry you created in the Access Restrictions for IP 192.168.221.212  and simply leave the IP address field blank.