Azure AD Joined SSO Client
We're testing the SSO Client on a device that's only Azure AD Joined. The user is signed in to windows with their Azure AD credentials. We use AD Connect to sync Azure AD Users to on premises AD. This scenario seems to work but doesn't seem to be documented. Will we run into any issues doing this?
We would rather have the user authenticate with Azure AD via SSO SAML but that doesn't seem to be an option with WG auth client.
1
Sign In to comment.
Comments
Shouldn't be a problem so long as the SSO gateway has something to talk to. There isn't any requirement that the SSO gateway be installed on a server (it'll work just as well on a workstation) -- most admins choose to do this since the servers are always on.
-James Carson
WatchGuard Customer Support
We have the gateway installed on a server so that isn't an issue. This requirement was a bit worrying since Azure AD Joined computers are not members of the local AD Domain.
"All computers from which users authenticate with SSO must be members of the Active Directory domain with unbroken trust relationships."
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/authentication/sso_quick_start.html
If it's working, the SSO Gateway is able to look users up. It wouldn't be working if there wasn't permission for it to do so.
I'm not sure it'd work in a situation where there is not an on-prem server at all, but other mechanisms like RADIUS SSO via switches/APs is possible in that situation.
-James Carson
WatchGuard Customer Support
phanaaekIT, We have a setup where we have moved some machines to Azure only. We have an old SSO agent setup that looks at AD for our domain machines. I dont use Event log monitor. We also have AD Connect. However my users can not SSO in. Did you fully understand why your setup works? What version of the agent are you using? Thanks in advance
We use AD Connect to sync local AD accounts to Azure. We use the SSO Client on all devices. Other than that, we didn't do anything else. We're not using the Event log monitor either. I've only tested this on one PC so far but should be testing more soon.
Side note I have a ticket with a feature request open (FBX-14093) for this scenario (more so for an Azure AD only setup where no on-premise AADconnect setup exists) as we did have a client that wanted to use the SSO client but for a pure Azure AD [now Entra ID] setup.
I am in that same boat, and it never worked for me. Did you ever expand to more machines to see if it still worked?
Yes, we have more than 10 users with Entra ID joined device, not hybrid, and the SSO client works for all of them.
Looks like 12.10.1 has a new feature:
With v12.10.1 of the WatchGuard Single Sign-On (SSO) Agent, WatchGuard Active Directory SSO now supports computers joined to your domain with Azure Active Directory. This support is for hybrid environments, where a local Active Directory domain controller is used for authentication by the Firebox, and the computers are added to this domain with Azure AD. [FBX-14093]
That makes it sound like the device has to be Entra ID Hybrid Joined but really isn't clear there. My devices are Azure AD joined only but my users are locally synced to Azure with AD Connect. It's already working for me at the moment so I will probably hold off on that update. Let us know if it works for you.
I just ran into a major issue with this setup that only affects the Azure AD joined devices.
When I look at traffic monitor the user does show up correctly, for example src_user=user@domain.local. However, when I try to target the user with a policy by username or group, it doesn't work. It only works for computers that are AD joined.
I thought this was working before so I'm not sure if an update or some other change broke it.
So I have a little update on this regard:
I know it's been over a year now, but I hope this can still help people.
if you go into the Watchguard Authentication gateway, and add a file there in the "c:\Program Files (x86)\WatchGuard\WatchGuard Authentication Gateway"
add a file called wagsrvc.ini
now add the following lines to this file:
[config]
forcedAdGroups=Gemiddeld verplicht niveau|Medium Mandatory Level|Niveau obligatoire moyen|Střední povinná úroveň|Mellem obligatorisk niveau|Mittlere Verbindlichkeitsstufe
This wil effectively add the SSO working for:
Dutch
German
English
Italien
Danish
however: Tjechie "Střední povinná úroveň" <-- does not work
source: https://portal.watchguard.com/wgknowledgebase?SFDCID=kA1Vr0000004Tt3KAE&lang=en_US
This is the ONLY documentation I was able to find ANYWHERE regarding this online. ( apart from a senior tech I spoke with