Testing your Kerberos SSO authentication setup
Configure Authentication in SafeSquid’s Access Restrictions
SafeSquid’s WebGUI is used to create/modify policy configuration. We can access the WebGUI from any authorized system, depending on Access Restrictions configuration section (by default ALL are allowed). To ensure that we do not get locked up, we will in the following steps configure the Access Restrictions section of SafeSquid to enable the SSO authentication, and then to enable authentication for only our Test Client windows7.safesquid.test (My client machine). You may choose AD browser for testing purpose.
My Test Client machine: windows7.safesquid.test (Connect in your domain and should able to resolve. Verify time synchronization)
Configure your Internet browser to use sabproxy.safesquid.test : <port_usually_8080> as your proxy server.
Note: You should NOT be using the <IP address>: <port> format now. Always use FQDN of Proxy Server
Access the SafeSquid User Interface
Go to Configure Page
Go to Application Setup
Go to Access Restrictions
Enable SSO Authentication
Go to Allow list
Change the order of Default entries
To avoid locking yourself to the SafeSquid User Interface.
See the working of each default Entry here
Add LDAP users
Note: If your LDAP server is not integrated then you will not see any users list in the drop-down menu.
Here I am selecting the manager group from my AD so this policy will only applicable for the users from this group (manager group).
If you want to apply rule for all the users, then keep this entry blank.
Access the internet, confirm that you can access the web the way should be. '('It should not ask you for authentication prompt)
Take a look at the output of the tail command that you had earlier left running on the Linux console.
You will see request from the user that had logged into the windows7.safesquid.test system and the user should be getting identified as <username>@<SAFESQUID.TEST>@ 192.168.221.212
On the console leave this tail command running.
- tail -f /opt/safesquid/safesquid/logs/extended/extended.log
Here we will be validating the SSO authentication, and the log lines here will reveal the success of our undertaken steps.
If you can confirm that, hurrah you are done!
To enable Windows Integrated authentication for the rest of your enterprise, modify the entry you created in the Access Restrictions for IP 192.168.221.212 and simply leave the IP address field blank.
Related Articles
Kerberos SSO Authentication Setup
The main aim/objective of this particular authentication is that the user doesn’t have to enter its credentials the software will automatically detect from which user group does the user belong and will set the restrictions accordingly. Overview ...Setup Authentication
Authentication in SafeSquid Proxy Authentication: Proxies can serve as access-control devices. HTTP defines a mechanism called proxy authentication that blocks requests for content until the user provides valid access-permission credentials to the ...Integrate a Linux Host with a Windows AD for Kerberos SSO authentication
Overview Kerberos Authentication support is particularly useful for Enterprise networks that have a Microsoft AD based Domain controller. By properly configuring the necessary Kerberos related factors, your enterprise Internet users can optionally ...Integrate Active Directory For SSO Authentication
Overview In given example we are integrating an Active Directory for SSO authentication. Your Active directory (AD) FQDN: ad.safesquid.test (You should get your AD FQDN from this location : AD ( Start > Control Panel > System > Full Computer name)) ...Setup HTTPS Inspection
Overview Over the couple of years, the internet is changing its dimensions in terms of security. The web is shifting towards HTTPS, to deliver secure services to users. “The main motivation for HTTPS is authentication of the visited website and ...