Choose Your Active Directory SSO Components

This topic explains operating system compatibility, the benefits and limitations of each component, and best practices so you can choose the SSO components that work best for your network.

For SSO to work, you must install the SSO Agent software.

We recommend that you also install one or more of these components:

SSO Client — Windows and macOS
Event Log Monitor (Clientless SSO) — Windows
Exchange Monitor (Clientless SSO) — Windows, macOS, Linux, and mobile clients

If you only install the SSO Agent, your SSO deployment uses Active Directory (AD) Mode to get user information. AD mode is not intended to be used as the primary SSO method because it has access control limitations that can result in failed SSO attempts and security risks. For more information about AD Mode, go to How Active Directory SSO Works.

SSO Component Compatibility

For information about which operating system and Microsoft Exchange Server versions are compatible with your SSO components, see the Operating System Compatibility list in the Fireware Release Notes. You can find the Release Notes for your version of Fireware OS on the Fireware Release Notes page of the WatchGuard website.

SSO Component Compatibility List

SSO Component	Windows	macOS	Linux	iOS	Android	Windows Mobile
SSO Agent ¹²	Compatible	Not Compatible	Not Compatible	Not Compatible	Not Compatible	Not Compatible
SSO Client ³	Compatible	Compatible	Not Compatible	Not Compatible	Not Compatible	Not Compatible
Event Log Monitor ⁴	Compatible	Not Compatible	Not Compatible	Not Compatible	Not Compatible	Not Compatible
Exchange Monitor ⁵	Compatible	Compatible	Compatible	Compatible	Compatible	Compatible

¹ The SSO Agent must only be installed on a Windows domain member server or your Active Directory domain controller.

² To use Active Directory SSO with computers joined to your domain with Azure Active Directory, you must install v12.10.1 or higher of the WatchGuard Single Sign-On (SSO) Agent. This version of the agent supports hybrid environments, here a local Active Directory domain controller is used for authentication by the Firebox, and the computers are added to this domain with Azure AD.

³ The SSO Client is available in two versions: Windows and macOS.

⁴ The Event Log Monitor must only be installed on a Windows domain member server or your Active Directory domain controller.

⁵ The Exchange Monitor must be installed on a Windows server with Microsoft Exchange Server. If you configure Exchange Monitor, users can authenticate with SSO from any computer or device that can authenticate to a Microsoft Exchange server.

SSO Component Comparison

SSO components have different deployment methods, operating system compatibility, and levels of accuracy and performance. You can use this list to compare the benefits and limitations of each SSO component.

SSO Component	Benefits	Limitations	OS Support
SSO Client	More accurate than other SSO methods Requires only one Active Directory GPO for deployment Uses minimal network bandwidth Compatible with RDP Reliable over BOVPN connections Reliable on networks where users frequently log in and out of workstations	Must be successfully deployed on each domain computer	Windows, macOS
Event Log Monitor	Requires no workstation software Works with RDP	Uses more network bandwidth than other SSO methods Requires more than one Active Directory GPO Unreliable over BOVPN connections Inaccurate when Windows Event Log is stopped or unable to generate logs for new events	Windows
Exchange Monitor	Compatible with mobile devices Requires no workstation software Uses minimal network bandwidth	Requires users to open email software that connects to Microsoft Exchange Server before they browse the Internet Does not detect RDP logons Unreliable on networks where users frequently log in and log out of workstations	Any OS

Best Practices

For the most reliable SSO deployment, we recommend:

For a network with only Windows computers

Install the SSO Client on each Windows computer
Specify the SSO Client as the primary contact for the SSO Agent
Specify the Event Log Monitor as a secondary contact for the SSO Agent

For a network with Windows, macOS, and Linux computers, and devices with mobile operating systems

Install the SSO Client on each Windows and macOS computer
Specify the SSO Client as the primary contact for the SSO Agent
Specify the Exchange Monitor as a secondary contact for the SSO Agent

In your network environment, if more than one person uses the same computer, we recommend you choose one of these component configurations:

Install the SSO Client software on each client computer
Install one or more instances of the Event Log Monitor in each domain
Install the Exchange Monitor on your Exchange server

If you configure more than one Active Directory domain, you can use the SSO Client, Event Log Monitor, or Exchange Monitor. For more information about how to configure the SSO Client when you have more than one Active Directory domain, go to Configure Active Directory Authentication and Install the WatchGuard Active Directory SSO Client.

If you enable SSO, you can also use Firewall authentication to log in to the Firewall Authentication Portal page and authenticate with different user credentials. For more information, go to Firewall Authentication.

A single sign-on option is also available for the Terminal Services Agent, but is not related to the WatchGuard SSO solution components, and is configured separately. For more information about the Terminal Services Agent, go to Install and Configure the Terminal Services Agent.

Choose Your Active Directory SSO Components

SSO Component Compatibility

SSO Component Compatibility List

SSO Component Comparison

Best Practices

Related Topics