Enable Single Sign-On (SSO)

Before you can configure SSO, you must:

If your device runs Fireware XTM v11.0–v11.3.x, the Authentication Settings for Terminal Services are not available.

Enable and Configure SSO

To enable and configure SSO from Fireware XTM Web UI:

  1. Select Authentication > Single Sign-On.
    The Single Sign-On page appears.
  2. Select the Enable Single Sign-On (SSO) with Active Directory check box.

Screen shot of the Authentication Single Sign-On page with SSO enabled

  1. In the SSO Agent IP address text box, type the IP address of your SSO Agent.
  2. In the Cache data for text box, type or select the amount of time the SSO Agent caches data.
  3. In the SSO Exceptions list, add or remove the IP addresses or ranges to exclude from SSO queries.

For more information about SSO exceptions, see the Define SSO Exceptions section.

  1. Click Save to save your changes.

Define SSO Exceptions

If your network includes devices with IP addresses that do not require authentication, such as network servers, print servers, or computers that are not part of the domain, if you have users on your internal network who must manually authenticate to the Authentication Portal, or if you have terminal servers for the Terminal Services Agent, we recommend that you add their IP addresses to the SSO Exceptions list.

Each time a connection attempt occurs from an IP address that is not in the SSO Exceptions list, the Firebox or XTM device contacts the SSO Agent to try to associate the IP address with a user name. This takes about 10 seconds. You can use the SSO Exceptions list to prevent this delay for each connection, to reduce unnecessary network traffic, and enable users to authenticate and connect to your network without delay.

When you add an entry to the SSO Exceptions list, you can choose to add a host IP address, network IP address, subnet, or a host range.

To add an entry to the SSO Exceptions list:

  1. Click Add.
    The Add IP Addresses dialog box appears.
  2. From the Choose Type drop-down list, select the type of entry to add to the SSO Exceptions list:
  3. Type the IP address for the type you selected.
    If you selected the type Host Range, in the From and To text boxes, type the start and end IP addresses for the range.
  4. (Optional) In the Description text box, type a description to include with this exception in the SSO Exceptions list.
  5. Click OK.
    The IP address or range appears in the SSO Exceptions list.
  6. Click Save.

To remove an entry from the SSO Exceptions list:

  1. From the SSO Exceptions list, select an entry.
  2. Click Remove.
    The selected entry is removed from the SSO Exceptions list.
  3. Click Save.

See Also

About Single Sign-On (SSO)

Install the WatchGuard Single Sign-On (SSO) Agent

Install the WatchGuard Single Sign-On (SSO) Client

Install the WatchGuard SSO Exchange Monitor

About User Authentication

Set Global Firewall Authentication Values

Configure Terminal Services Settings

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base