SSO problem with multiple domains

Hi,

Ok I'm trying to wrap my head around SSO with multiple domains. I've read the FAQ/doc on the subject but still not quite sure.
I'm using an M370.

Basically I have two completely separate networks. Each is on its own VLAN with its own separate addressing and own domain controllers. The only place the two networks meet is at the Watchguard, each connected to a separate interface, so they can share Internet connections.

The first network is the one that's been there for ages. SSO is set up and works, with the agent and event log monitor on a DC and the SSO client installed on all client machines. I now need to get SSO working for users on the other network and domain.

The FAQ says I should keep a single SSO Agent on the existing DC. One the second network's DC I should install just the event log monitor.

I presume I should add the second network's domain details to the existing SSO Agent, which would then contact the second network?

This is where I get confused.

For the SSO Agent to contact the event log monitor on the second domain DC, I'd need to add rules to the Watchguard to allow certain traffic to flow between the two domain controllers on the two networks? If so what ports are required exactly? This is really confusing.

Secondly, if I understand the SSO client correctly, the agent would contact the SSO client installed on the machine making the original attempt/request to retrieve credentials? This is a total non-starter in my configuration as it would require allowing, via firewall rules, the first network DC to communicate with ANY machine on the second network. I'm not doing that.

So, if the above assumptions are correct, I'd have to ditch the SSO client and rely solely on the event log monitor, allowing the necessary traffic only between the two networks' DCs? How robust would this be without the SSO client?

If anyone can offer any advice or tips or anything I may have missed, I'd appreciate it.

I can't help feeling that the Watchguard should really allow me to set up multiple SSO Agents on different networks/interfaces, so requests from each of my networks routes to an SSO agent on a DC for that network. This seems totally obvious and by far the simplest and most secure system. Why is this not supported?!

Comments

  • The following shows that the SSO agent contacts the ELM on TCP port 4135, the SSO agent contact the SSO clients on TCP port 4116, and for a non-SSO client the ELM contacts the Windows PC on TCP port 445 (SMB)

    How Active Directory SSO Works
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/authentication/sso_about_c.html

    The "Two Domains" section in this document explains how this would work for you.

    Example Network Configurations for Active Directory SSO
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/authentication/sso_example_configurations.html

    Re. clientless SSO -
    Use of the SSO Client is recommended for shared PCs/Macs
    ELM only works for Windows PCs.
    From the docs:
    "For the most reliable SSO deployment, we recommend that you also install the SSO Client on Windows and macOS clients on your network."

    I can't answer why SSO for multiple domains is designed this way.

    Hope this helps

  • Thanks yes these articles do seem to support what I was suggesting and that the clientless SSO using only the ELM is the best way to go but I just wanted to know if I was missing anything or if there was a better way.

    I'm actually annoyed you can't just configure multiple SSO Agents on the Watchguard. Actually you can but only for failover it seems. They wouldn't even have to change the interface for heaven's sake - just get Fireware to use whichever SSO Agent is on the same network as the original request - problem solved far more simply and more securely (no inter-network traffic required)!

Sign In to comment.