Choose Your Active Directory SSO Components
This topic explains operating system compatibility, the benefits and limitations of each component, and best practices so you can choose the SSO components that work best for your network.
For SSO to work, you must install the SSO Agent software.
We recommend that you also install one or more of these components:
- SSO Client — Windows and macOS
- Event Log Monitor (Clientless SSO) — Windows
- Exchange Monitor (Clientless SSO) — Windows, macOS, Linux, and mobile clients
If you only install the SSO Agent, your SSO deployment uses Active Directory (AD) Mode to get user information. AD mode is not intended to be used as the primary SSO method because it has access control limitations that can result in failed SSO attempts and security risks. For more information about AD Mode, go to How Active Directory SSO Works.
SSO Component Compatibility
For information about which operating system and Microsoft Exchange Server versions are compatible with your SSO components, see the Operating System Compatibility list in the Fireware Release Notes. You can find the Release Notes for your version of Fireware OS on the Fireware Release Notes page of the WatchGuard website.
SSO Component Compatibility List
SSO Component | Windows | macOS | Linux | iOS | Android | Windows Mobile |
---|---|---|---|---|---|---|
SSO Agent 12 |
Compatible |
Not Compatible | Not Compatible | Not Compatible | Not Compatible | Not Compatible |
SSO Client 3 |
Compatible |
Compatible |
Not Compatible | Not Compatible | Not Compatible | Not Compatible |
Event Log Monitor 4 |
Compatible |
Not Compatible | Not Compatible | Not Compatible | Not Compatible | Not Compatible |
Exchange Monitor 5 | Compatible | Compatible | Compatible | Compatible | Compatible | Compatible |
1 The SSO Agent must only be installed on a Windows domain member server or your Active Directory domain controller.
2 To use Active Directory SSO with computers joined to your domain with Azure Active Directory, you must install v12.10.1 or higher of the WatchGuard Single Sign-On (SSO) Agent. This version of the agent supports hybrid environments, here a local Active Directory domain controller is used for authentication by the Firebox, and the computers are added to this domain with Azure AD.
3 The SSO Client is available in two versions: Windows and macOS.
4 The Event Log Monitor must only be installed on a Windows domain member server or your Active Directory domain controller.
5 The Exchange Monitor must be installed on a Windows server with Microsoft Exchange Server. If you configure Exchange Monitor, users can authenticate with SSO from any computer or device that can authenticate to a Microsoft Exchange server.
SSO Component Comparison
SSO components have different deployment methods, operating system compatibility, and levels of accuracy and performance. You can use this list to compare the benefits and limitations of each SSO component.
SSO Component | Benefits | Limitations | OS Support |
---|---|---|---|
SSO Client |
|
|
Windows, macOS |
Event Log Monitor |
|
|
Windows |
Exchange Monitor |
|
|
Any OS |
Best Practices
For the most reliable SSO deployment, we recommend:
For a network with only Windows computers
- Install the SSO Client on each Windows computer
- Specify the SSO Client as the primary contact for the SSO Agent
- Specify the Event Log Monitor as a secondary contact for the SSO Agent
For a network with Windows, macOS, and Linux computers, and devices with mobile operating systems
- Install the SSO Client on each Windows and macOS computer
- Specify the SSO Client as the primary contact for the SSO Agent
- Specify the Exchange Monitor as a secondary contact for the SSO Agent
In your network environment, if more than one person uses the same computer, we recommend you choose one of these component configurations:
- Install the SSO Client software on each client computer
- Install one or more instances of the Event Log Monitor in each domain
- Install the Exchange Monitor on your Exchange server
If you configure more than one Active Directory domain, you can use the SSO Client, Event Log Monitor, or Exchange Monitor. For more information about how to configure the SSO Client when you have more than one Active Directory domain, go to Configure Active Directory Authentication and Install the WatchGuard Active Directory SSO Client.
If you enable SSO, you can also use Firewall authentication to log in to the Firewall Authentication Portal page and authenticate with different user credentials. For more information, go to Firewall Authentication.
A single sign-on option is also available for the Terminal Services Agent, but is not related to the WatchGuard SSO solution components, and is configured separately. For more information about the Terminal Services Agent, go to Install and Configure the Terminal Services Agent.
About Active Directory Single Sign-On (SSO)
How Active Directory SSO Works
Example Network Configurations for Active Directory SSO
Quick Start — Set Up Active Directory Single Sign-On (SSO)
Install the WatchGuard Single Sign-On (SSO) Agent and Event Log Monitor
Install the WatchGuard Active Directory SSO Client
Install the WatchGuard Active Directory SSO Exchange Monitor