Testing your Kerberos SSO authentication setup

Testing your Kerberos SSO authentication setup

Configure Authentication in SafeSquid’s Access Restrictions

SafeSquid’s WebGUI is used to create/modify policy configuration. We can access the WebGUI from any authorized system, depending on Access Restrictions configuration section (by default ALL are allowed). To ensure that we do not get locked up, we will in the following steps configure the Access Restrictions section of SafeSquid to enable the SSO authentication, and then to enable authentication for only our Test Client windows7.safesquid.test (My client machine). You may choose AD browser for testing purpose.
My Test Client machine: windows7.safesquid.test (Connect in your domain and should able to resolve. Verify time synchronization)
We already done Preparatory Steps (Verify it once before setting proxy)
Configure your Internet browser to use sabproxy.safesquid.test<port_usually_8080> as your proxy server.
Note:  You should NOT be using the <IP address>: <port> format now. Always use FQDN of Proxy Server
configuring your browser to use safesquid proxy by setting your FQDN and por

Access the SafeSquid User Interface

Go to Configure Page

clicking on configure in safesquid interface     

Go to Application Setup

clicking on application setup

Go to Access Restrictions

going to integrate LDAP in application setup section

Enable SSO Authentication

Enabling SSO authentication in global section

Go to Allow list

going to allow list

Change the order of Default entries

To avoid locking yourself to the SafeSquid User Interface.
See the working of each default Entry here
clicking on move down icon to move the entry down     

Add LDAP users

clicking on edit policies
selecting true in enabled field from the drop down menu     
commenting for future reference     
Note: If your LDAP server is not integrated then you will not see any users list in the drop-down menu.
clicking on LDAP profiles and selecting the LDAP user and LDAP group from your LDAP server from the drop down menu
Here I am selecting the manager group from my AD so this policy will only applicable for the users from this group (manager group).
If you want to apply rule for all the users, then keep this entry blank. 
leaving the PAM authentication field as true 
select or deselect CONFIG  option for the safesquid interface access  
clicking on close icon to remove CONFIG  from access 
clicking on save policy     
Access the internet, confirm that you can access the web the way should be. '('It should not ask you for authentication prompt)
Take a look at the output of the tail command that you had earlier left running on the Linux console.
You will see request from the user that had logged into the windows7.safesquid.test system and the user should be getting identified as <username>@<SAFESQUID.TEST>@ 192.168.221.212
On the console leave this tail command running.
  1. tail -f /opt/safesquid/safesquid/logs/extended/extended.log
Here we will be validating the SSO authentication, and the log lines here will reveal the success of our undertaken steps.
If you can confirm that, hurrah you are done!
To enable Windows Integrated authentication for the rest of your enterprise, modify the entry you created in the Access Restrictions for IP 192.168.221.212 and simply leave the IP address field blank.


    • Related Articles

    • Kerberos SSO Authentication Setup

      The main aim/objective of this particular authentication is that the user doesn’t have to enter its credentials the software will automatically detect from which user group does the user belong and will set the restrictions accordingly. Overview ...
    • Setup Authentication

      Authentication in SafeSquid Proxy Authentication: Proxies can serve as access-control devices. HTTP defines a mechanism called proxy authentication that blocks requests for content until the user provides valid access-permission credentials to the ...
    • Integrate a Linux Host with a Windows AD for Kerberos SSO authentication

      Overview Kerberos Authentication support is particularly useful for Enterprise networks that have a Microsoft AD based Domain controller. By properly configuring the necessary Kerberos related factors, your enterprise Internet users can optionally ...
    • Integrate Active Directory For SSO Authentication

      Overview In given example we are integrating an Active Directory for SSO authentication. Your Active directory (AD) FQDN: ad.safesquid.test (You should get your AD FQDN from this location : AD ( Start > Control Panel > System > Full Computer name)) ...
    • Setup HTTPS Inspection

      Overview Over the couple of years, the internet is changing its dimensions in terms of security. The web is shifting towards HTTPS, to deliver secure services to users. “The main motivation for HTTPS is authentication of the visited website and ...