Is there a seamless SSO solution with Entra ID?

cmccmc
in Firebox - Authentication

By seamless, I mean can SSO with Entra ID be set up to work similarly to the way SSO worked with Active Directory?

With on-prem AD, you could install the SSO Client on devices and the SSO Agent on an AD server. Once configured, end uses were not required to do anything different, like connecting to a portal, to access network resources. And, users were automatically linked to IP addresses, making traffic/reports much easier to understand.

What about an environment that has no on-prem AD server and all devices are Entra ID Joined? Can the same seamless workflow be accomplished?

From what I can gather, Entra ID SSO could be set up, but users would have to browse to the Firebox and log in in order to authenticate and map their account to an IP address.

Or, maybe there's a way to do it using AuthPoint. I'm not too familiar with AuthPoint but apparently there's an AuthPoint app that could be installed on devices. But that requires a separate subscription which I'm not interested in. Or is there a way to use this without a subscription maybe?

The old AD SSO solution worked well, was no extra cost and was completely transparent to end users. Can that be replicated with the modern architecture?

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @cmc

    Not at this time. There is a feature request (FBX-28750) for a feature like this, but it does not have an ETA at this time.

    If you'd like to follow the request for FBX-28750, please create a support case and mention FBX-28750 somewhere in the case. The tech assigned to the case can set that up for you.

    -James Carson
    WatchGuard Customer Support

  • cmccmc

    Thanks for the info. After reading through the documentation, and consulting Gemini, I dug into AuthPoint and Directories and Domain Services (DDS). It seems there may be a way to accomplish something like this. Curious what your take is on Gemini's explanation, if you have a minute to ready through it.

    https://gemini.google.com/share/f740e1e88f74

    The main takeaway is to use the AuthPoint Logon App and configure users as Non-MFA (no license needed). The hang up is that in order to download the Logon App installer and config file, you need a license for AuthPoint.

    To test, I enabled a trial for AuthPoint and set up all of the Entra ID syncing, DDS, etc. It seems like it almost works, but when logging into Windows, the Logon App displays an error - "You cannot authenticate because your AuthPoint user group does not have an authentication policy for
    the Logon app."

    I opened a support case to troubleshoot the error and see if there is a way around it.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @cmc
    Authpoint's DDS works, but does not provide the logged SSO experience (where the firewall shows who is logged in via SSO.) That is what the feature request is for.

    If you're simply looking for the ability to log in, minus the firewall itself being aware of that it may provide what you're looking for.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.