Skip to content

Configure Chromebook single sign-on

You can configure Sophos Firewall to sign in Chromebook users to Sophos Firewall at the time they sign in to their Chromebook.

Objectives

When you complete this unit, you'll know how to do the following:

  • Configure an Active Directory server in Sophos Firewall for use with Google Chrome Enterprise.
  • Configure a Chromebook for use with Sophos Firewall.
  • Configure Google Chrome Enterprise for use with Sophos Firewall.

Configure Chromebook SSO with Active Directory

First configure Sophos Firewall.

  • Your Active Directory server is already configured for use with Google Workspace and synchronization has taken place.
  • You know how to configure an Active Directory server in Sophos Firewall.
  • You know how to create or import certificates.
  • You know how to create firewall rules.
  • Chromebooks can connect to the network controlled by Sophos Firewall, for example, LAN or Wi-Fi.

  • Create an Active Directory server. The Chromebook users in the AD must have email addresses that use the domain registered with Google Workspace. For example, if your registered domain is example.com, AD Chromebook users must have an email address like user@example.com.

  • Change device access to allow Chromebook SSO. Go to Administration > Device access and select Chromebook SSO for the zone where the Chromebook users are allowed to connect from, for example, LAN and Wi-Fi.
  • Create or import a valid certificate.

    Note

    The CN must match the zone/network where the Chromebook users are, for example, gateway.example.com.

    The certificate must not be protected by a passphrase.

    The certificate is used for SSL-encrypted communication with the Chromebooks.

  • Go to Authentication > Services > Chromebook SSO, enable the Chromebook SSO feature and specify the following settings:

    Option Description
    Domain The domain as registered with Google Workspace, that is, the domain suffix of the email addresses used in Google Workspace, for example, example.com. This can be different from your Active Directory domain.
    Port 65123
    Certificate The certificate created/imported above
    Logging level Select the amount of logging
  • Click Download Google Workspace app config. This will download a JSON file that you need to upload later to Google Workspace.

  • Open the file with a text editor, enter a value for serverAddress (LAN or DNS IP address of Sophos Firewall), and save. Server address must match the certificate’s CN, for example, 10.1.1.1.
  • Create firewall rules.

    1. Create a User/Network rule to allow Google API and Chrome Web Store communication for all devices. This is necessary to push the app to the Chromebooks:

      • Source zones, for example: LAN, Wi-Fi
      • Destination zones, for example: WAN
      • Destination networks: Select the predefined FQDN host groups Google API Hosts and Google Chrome Web Store.
    2. Create a User/Network rule to match known users and to show the captive portal to unknown users to allow internet access to Chromebooks:

      • Source zones, for example: LAN, Wi-Fi
      • Destination zones, for example: WAN
      • Identity: Select the following options: Match known users, Show captive portal to unknown users

      Sort both rules so that rule a) is applied before rule b).

      If you don’t select Show captive portal to unknown users in rule b), we recommend that you create another network rule c) to avoid possible waiting time when contacting the Chrome Web Store.

    3. Create a User/Network rule with the following settings:

      • Rule type: Reject
      • Source zones, for example: LAN, Wi-Fi
      • Destination zones: WAN

      Place the rule at the bottom of the list so that the rule is applied last.

Configure a Chromebook

Configure a Chromebook by installing the Sophos Chromebook user ID app from the web store.

Configure Google Chrome Enterprise

Configure Google Workspace for communication with Sophos Firewall.

  1. Sign in to Google Workspace and go to Device > Chrome > Apps and extensions > Users and browsers.
  2. Search for the Sophos Chromebook user ID app and select it.
  3. Go to User settings and make the following settings for your domain:

    Option Description
    Allow installation Leave enabled. Allows users to install apps on their own.
    Force installation Enable to automatically install the app on all Chromebooks configured for your domain.
    Pin to taskbar Enable to display the app on the taskbar of the Chromebook after installation.
    Add to Chrome Web Store collection Enable to display the app in the Chrome Web Store collection for your organization.
  4. Upload the JSON configuration file to Google Workspace. That’s the one you’ve downloaded from Authentication > Services > Chromebook SSO.

  5. Save.
  6. Go to Public session settings, specify the same settings as for User settings and also upload the JSON configuration file there. The configuration changes will be automatically deployed to all managed devices. Google documentation says “Settings typically take effect in minutes. But they take up to an hour to apply for everyone.”

The configuration process is finished here unless you use a locally-signed certificate for Sophos Firewall. In this case, you need to provide the respective CA to the Chromebooks. Continue with the next section.

As soon as users authenticate with the domain configured in Google Workspace, they will be displayed under Current activities > Live users.

Install CA certificate for proxy and app communication

If you use a locally-signed certificate for Sophos Firewall, you must deposit the corresponding CA certificate in Google Workspace for proxy and app communication to work.

You’ll need the CA certificate (usually Default) which you can download from Sophos Firewall under Certificates > Certificate authorities.

  1. Sign in to Google Workspace and go to Device management > Networks > Certificates.
  2. Click Add certificate and upload the CA certificate you downloaded from Sophos Firewall.
  3. Select the option Use this as an HTTPS certificate authority.

More resources