Options
Azure AD Joined SSO Client
We're testing the SSO Client on a device that's only Azure AD Joined. The user is signed in to windows with their Azure AD credentials. We use AD Connect to sync Azure AD Users to on premises AD. This scenario seems to work but doesn't seem to be documented. Will we run into any issues doing this?
We would rather have the user authenticate with Azure AD via SSO SAML but that doesn't seem to be an option with WG auth client.
1
Sign In to comment.
Comments
Shouldn't be a problem so long as the SSO gateway has something to talk to. There isn't any requirement that the SSO gateway be installed on a server (it'll work just as well on a workstation) -- most admins choose to do this since the servers are always on.
-James Carson
WatchGuard Customer Support
We have the gateway installed on a server so that isn't an issue. This requirement was a bit worrying since Azure AD Joined computers are not members of the local AD Domain.
"All computers from which users authenticate with SSO must be members of the Active Directory domain with unbroken trust relationships."
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/authentication/sso_quick_start.html
If it's working, the SSO Gateway is able to look users up. It wouldn't be working if there wasn't permission for it to do so.
I'm not sure it'd work in a situation where there is not an on-prem server at all, but other mechanisms like RADIUS SSO via switches/APs is possible in that situation.
-James Carson
WatchGuard Customer Support
phanaaekIT, We have a setup where we have moved some machines to Azure only. We have an old SSO agent setup that looks at AD for our domain machines. I dont use Event log monitor. We also have AD Connect. However my users can not SSO in. Did you fully understand why your setup works? What version of the agent are you using? Thanks in advance
We use AD Connect to sync local AD accounts to Azure. We use the SSO Client on all devices. Other than that, we didn't do anything else. We're not using the Event log monitor either. I've only tested this on one PC so far but should be testing more soon.
Side note I have a ticket with a feature request open (FBX-14093) for this scenario (more so for an Azure AD only setup where no on-premise AADconnect setup exists) as we did have a client that wanted to use the SSO client but for a pure Azure AD [now Entra ID] setup.
I am in that same boat, and it never worked for me. Did you ever expand to more machines to see if it still worked?
Yes, we have more than 10 users with Entra ID joined device, not hybrid, and the SSO client works for all of them.
Looks like 12.10.1 has a new feature:
With v12.10.1 of the WatchGuard Single Sign-On (SSO) Agent, WatchGuard Active Directory SSO now supports computers joined to your domain with Azure Active Directory. This support is for hybrid environments, where a local Active Directory domain controller is used for authentication by the Firebox, and the computers are added to this domain with Azure AD. [FBX-14093]
That makes it sound like the device has to be Entra ID Hybrid Joined but really isn't clear there. My devices are Azure AD joined only but my users are locally synced to Azure with AD Connect. It's already working for me at the moment so I will probably hold off on that update. Let us know if it works for you.