Clientless SSO authentication

Clientless SSO is implemented using the Sophos Transparent Authentication Suite.

The associated workflow is the following:
  1. The user logs on to the Active Directory domain controller from any workstation in the LAN. The domain controller authenticates the user’s credentials.
  2. AD gets the session information and creates a security audit log. Upon successful user authentication, AD creates an event with an ID of 672 (Windows 2003) or 4768 (Windows 2008 and above).
  3. The agent, while monitoring the AD server, gets the session information from the above event IDs.
  4. The agent passes on the username and IP address to the collector over the default TCP port (5566) at the same time.
  5. The collector responds by sending successful authentication updates to the firewall on UDP port 6060.
  6. If the firewall sees traffic from an IP it has no information on, it can query the collector on port 6677.
  7. A user initiates an internet request.
  8. The firewall matches the user information with its local user map and applies security policies accordingly.

The firewall queries the AD server to determine group membership based on data from the STAS agent. Depending on the data, access is granted or denied. Users logged on to a workstation directly (or locally) but not logged on to the domain will not be authenticated and are considered unauthenticated users. Users that are not logged on to the domain will be required to authenticate using the captive portal.