Single Sign-On

On the Definitions & Users > Authentication Services > Single Sign-On tab you can configure single sign-on functionality for Active Directory and/or eDirectory.

Active Directory Single Sign-On (SSO)

Note that the Active Directory SSO facility is currently only used with the Web Filter to provide single sign-on with browsers that support NTLMv2 or Kerberos authentication.

To activate the single sign-on functionality, Sophos UTM must join the Active Directory domain. In order for the domain joining to work, the following prerequisites must be met:

  • There MUST NOT be a time difference of more than five minutes between the gateway clock and the DC clock.
  • The Sophos UTM hostname must exist in the ADClosed Active DirectoryDNSClosed Domain Name Service system.
  • Sophos UTM must use the AD DNS as forwarder, or must have a DNS request route for the AD domain which points to the AD DNS server.

Note – Active Directory Group Membership Synchronization uses the Single Sign-On (SSO) password to communicate with the AD server. If this password is changed, the new password needs to be entered and Sophos UTM re-joined, for Sophos UTM to sync with the server again.

To configure Active Directory SSO, do the following:

  1. Create an Active Directory server on the Servers tab.
  2. Specify the following settings:

    Domain: Name of the domain (for example intranet.mycompany.com). Sophos UTM searches all DCs retrievable via DNSClosed Domain Name Service.

    Admin username: User with administrative privileges who is allowed to add computers to that domain (usually "Administrator").

    Password: The password of the admin user.

  3. Click Apply.

    Your settings will be saved.

Note on Kerberos authentication support: In order for opportunistic SSO Kerberos support to work, the clients MUST use the FQDN hostname of Sophos UTM in their proxy settings—using the IP address will not work. NTLMv2 mode is not affected by this requirement, and will automatically be used if it is not met, or if the browser does not support Kerberos authentication.

eDirectory Single Sign-On (SSO)

Here, you can configure SSO for eDirectory. If you have configured eDirectory SSO as authentication method in Web Protection > Web Filtering, the eDirectory server selected here will be used.

To configure eDirectory SSO, do the following:

  1. Create an eDirectory server on the Servers tab.
  2. Specify the following settings:

    Server: eDirectory server for which you want to enable SSO.

    Sync interval: Time (in seconds) between two synchronization events between Sophos UTM and eDirectory server.

  3. Click Apply.

    Your settings will be saved.