Quick Start — Set Up Active Directory Single Sign-On (SSO)

When you use the WatchGuard Active Directory Single Sign-On (SSO) solution, users on the trusted or optional networks provide their user credentials one time (when they log on to their computers) and are automatically authenticated to your Firebox. This topic summarizes how to set up WatchGuard Single Sign-On with the three most commonly used components of the WatchGuard SSO solution:

  • SSO Agent — You must install the SSO Agent on your network to collect user login information and provide that information to the Firebox. The SSO Agent can collect user login information from the SSO Client, Event Log Monitor, and Exchange Monitor.
  • SSO Client — You can install the SSO Client on Windows and macOS computers on your network. The SSO Client runs in the background to collect user credentials, domain information, and group information to provide to the SSO Agent.
  • Event Log Monitor (ELM) — You can install the Event Log Monitor on a server in each network domain to collect user login information from the Windows security event log files from domain Windows computers that do not have the SSO Client installed.

It is not necessary for the SSO component versions to match each other or to match the version of Fireware OS on your Firebox unless otherwise specified. The exceptions are that the SSO Agent v12.5.4 supports Fireware v12.5.4 or higher only, and you cannot use SSO Client v12.5.4 with versions of the SSO Agent lower than v12.5.4.

We recommend that you install the latest available version of the SSO Agent, even if your Firebox runs an older version of Fireware.

For a complete description of all WatchGuard SSO components, configuration options, and functionality, go to How Active Directory SSO Works.

This Quick Start procedure focuses on how to deploy SSO components for SSO from computers that use the SSO Client. It also describes how to set up the Event Log Monitor as a secondary method to enable SSO for Windows computers that do not have the SSO Client installed. Even if you install the Event Log Monitor, we recommend that you install the SSO Client on all Windows computers for the most reliable SSO deployment.

WatchGuard SSO Exchange Monitor is an optional component you can install to enable SSO for network clients that use Linux, or mobile devices that run iOS, Android, or Windows Mobile. Exchange Monitor is used primarily for mobile client authentication, but you can also use it as a backup SSO connection for computers that are not shared by multiple users.

For more information, go to Install the WatchGuard Active Directory SSO Exchange Monitor.

To troubleshoot SSO, review the list of requirements and verify your network servers and SSO components are configured correctly.

Related Topics

About Active Directory Single Sign-On (SSO)

How Active Directory SSO Works

Getting Started with Single Sign-On video tutorial (9 minutes)

Example Network Configurations for Active Directory SSO

Troubleshoot Active Directory SSO