Integrate Active Directory For SSO Authentication

Integrate Active Directory For SSO Authentication

Overview

In given example we are integrating an Active Directory for SSO authentication.
Your Active directory (AD) FQDN: ad.safesquid.test (You should get your AD FQDN from this location : AD ( Start > Control Panel > System > Full Computer name))
Your Active directory (AD) IP Address: 192.168.221.1
Domain of Active Directory (AD): safesquid.test
Base Dn of AD: dc=safesquid,dc=test
User Name: administrator@safesquid.test (User name should be any user from AD having administrative permissions)
Monit service must be Up. Verify it using command:
  1. root@sabproxy: ~# pidof monit
  2. 19940
See more about Integrate LDAP section, here we explained the working of each field in the Integrate LDAP section. 

Prerequisites

Make sure that all the values (LDAP server FQDN, LDAP server IP, Username, password, base dn, domain) while configuration are correct. If any value is inappropriate then SafeSquid will fail to fetch the entries.
Step 1: Specify Name Server Addresses.  Follow Link
Step 2: Specify Time Synchronization Server.  Follow Link
(Note: Time Synchronization of AD server and Proxy server should be same. Verify it using “date" command)
Step 3: Add DNS entry of SafeSquid server in your Active Directory Server.  Follow Link
Step 4: Make sure that your AD Domain must be resolvable from all clients and SafeSquid Server. For troubleshooting.   Follow Link
Once you complete all the above steps correctly then you are ready for SSO Configuration.

Access the SafeSquid User Interface

clicking on configure in safesquid interface

Go to Application Setup

clicking on application setup

Go to Integrate LDAP

going to integrate LDAP in application setup section

Ensure LDAP Section is enabled

ensuring the LDAP section is enabled. by default it is set as false
clicking on the global edit
selecting true from the drop down menu
clicking on save policy

Go to LDAP servers

going to LAP servers tab

Creating new entry

creating a new entry by clicking add new button
some default values are set to some options. leaving enabled as true and writing comment for future reference
leaving host name field blank
why?
In a network with multiple LDAP Servers, and multiple SafeSquid Proxy Servers deployed in Master-Slave mode, this field can be used to specify the Host Name of the Proxy Server, which will communicate with the LDAP Server configured.
Leave this field blank if this is the only SafeSquid proxy, or if you want all the proxies to communicate with the LDAP server configure.
leaving ldap port and use SSL to their default
clicking on ldap bind method and selecting negotiate from the drop down menu
You can use any user from Active Directory who is having Administrator permissions
clicking on encrypt password icon
entering admin password and confirming the password by entering in respective field
clicking on encrypt to encrypt the password
showing that the password is now encrypted
clicking on save policy

Test User Extraction

Troubleshooting:
As soon as you Save policy by selecting NEGOTIATE_LDAP_AUTH 
kerberos.sh* script will automatically run from path 
  1. /usr/local/safesquid/ui_root/cgi-bin
1.Verify below files at path:
  1. /usr/local/safesquid/security
  2. HTTP.keytab
  3. krb5.conf
  4. krb.tkt
2. SafeSquid will create the stub zone for DNS resolution of your Active Directory server.
The file with stub zone will create with the name: safesquid.dns.conf
At path:
  1. /usr/local/safesquid/security/dns
Run command:  
  1. cat safesquid.dns.conf
  2. zone safesquid.test {
  3. type stub;
  4. masters {192.168.221.1;};
  5. };
Also, it will automatically copy at given path:
  1. /etc/bind/
Run command:  
  1. cat safesquid.dns.conf
  2. zone safesquid.test {
  3. type stub;
  4. masters {192.168.221.1;};
  5. };
(Note: Monit service must be up.)
clicking on ldap entries tab to check for entries
Step: Make sure that your AD Domain must be resolvable from all clients and SafeSquid Server.
For troubleshooting Follow Link
showing all the users from directory in ldap entries tab
Save Configuration
If you did not find any entries on LDAP Entries subsection, then validate whether all fields in LDAP servers subsection are correct or not.
If all fields are correct then
Find the error cause
Troubleshooting Steps
clicking on save config to save it
When you click on Save config, it will give a prompt for asking the confirmation to store your configuration into the cloud. 
Select Yes only in below cases:
If you want to use this same configuration in other SafeSquid instances.
If your total configuration in all sections is completed and validated. 
Otherwise select No and click on submit button.
Enable SSO authentication for LDAP users
Read more about Testing your Kerberos SSO authentication setup




    • Related Articles

    • Integrate Active Directory For Simple Authentication

      Overview Here I am integrating my Active Directory with following information. Active Directory FQDN : ad.safesquid.test IP Address : 192.168.221.1 Domain of Active Directory : safesquid.test Base Dn : dc=safesquid,dc=test User Name : ...

    • A comprehensive guide on how to integrate Windows Active directory

      Active Directory (AD) services are crucial for network security and efficient user management within an organization. High Security: Active Directory services provide layered security, encompassing various policies and permissions to ensure security ...

    • Integrate a Linux Host with a Windows AD for Kerberos SSO authentication

      Overview Kerberos Authentication support is particularly useful for Enterprise networks that have a Microsoft AD based Domain controller. By properly configuring the necessary Kerberos related factors, your enterprise Internet users can optionally ...

    • Kerberos SSO Authentication Setup

      The main aim/objective of this particular authentication is that the user doesn’t have to enter its credentials the software will automatically detect from which user group does the user belong and will set the restrictions accordingly. Overview ...

    • Integrate openLDAP for simple authentication

      Overview Here i am integrating my Active Directory with following information. IP Address: 192.168.247.10 Domain of Active Directory: safesquid.net Base Dn: dc=safesquid,dc=net User Name: cn=admin,dc=safesquid,dc=net See more about Integrate LDAP ...