Skip to main content

Enforcing SSO Authentication in Organizations

Published on:
.
2 min read

Zenconsole enables you to prevent unauthenticated clients from accessing the Internet. Your users need to be authenticated via your IDP, like Google workspace or Azure AD, for web surfing if you enable the SSO (Single Sign On) Authentication feature for gateways in your organization. When users, behind a Zenarmor firewall or gateway, open their browsers and try to visit a website, they will be redirected to the IDP sign-in page. After successfully logging in to their IDP accounts, they will be able to browse the web.

warning

Beware that before activating the SSO (Single Sign On) Awareness feature for your organization, you must first install the Zenarmor internal CA certificate on your client devices as a trusted certificate.

Enabling SSO Authentication

You may easily enable SSO Authentication for gateways in your organization by following the next steps.

  1. Login Zenconsole and then select the organization you want to manage.

  2. Navigate to the Settings > Identity & Access Management page.

    Figure 1. Identity & Access Management page

  3. Go to Enforce SSO Authentication on Gateways (Agentless Authentication) pane.

  4. Click on Enforce SSO Authentication toggle bar to restrict all clients behind Zenarmor gateways from accessing the Internet without signing into their IDP accounts. This will display a dialog box for confirmation.

    Figure 2. Enabling SSO Authentication

  5. Click Enable button to confirm the SSO authentication enforcement.

    Figure 3. Confirmation for Enabling SSO Authentication

Now, all client devices located behind gateways in your organization must login via your IDP, such as Google workspace or Azure AD, to access the Internet.

tip

SSO enforcement configuration is unnecessary if the Zenarmor Windows or macOS agent has been installed on your endpoints, as SSO authentication has already been enabled on the agent.

In order for the authentication and sign-on process to occur, the gateway's CA certificate must be deployed to all endpoints that access internet services with this configuration enabled and Zenarmor is operating as a proxy.

warning

Even if you enable Azure Active Directory (AD) as an authentication method in your organization, it's important to enforce Single Sign-On (SSO) authentication. This is necessary in order to view the usernames of users who connect to the network through a gateway, such as OPNsense or pfSense software, in your reports.

Setting SSO Duration

SSO sessions as a default persist for 24 hours before the user is prompted to log in again. Zenconsole allows the admin to set up a custom time period as to how long they wish SSO sessions to persist for before re-authentication is required. You can adjust the SSO duration by following the next steps.

  1. Login Zenconsole and then select the organization you want to manage.

  2. Navigate to the Settings > Identity & Access Management page.

  3. Go to Enforce SSO Authentication on Gateways (Agentless Authentication) pane.

  4. Scroll left on the SSO Duration bar to decrease or right to increase. The default is 1 day (24 hours). The maximum duration is 7 days. This will display a dialog box at the bottom right of the page.

    Figure 4. Setting SSO Duration

  5. Click Trigger Update button for an immediate configuration update on all organization instances.

Setting SSO Inactivity Duration

The organization administrator has the ability to specify the duration of SSO inactivity through Zenconsole. The user is compelled to use SSO authentication in order to access the Internet if no user activity is detected during a designated period. The duration of SSO inactivity is set to 8 hours by default. You can adjust the SSO inactivity duration by following the next steps.

  1. Login Zenconsole and then select the organization you want to manage.
  2. Navigate to the Settings > Identity & Access Management page.
  3. Go to Enforce SSO Authentication on Gateways (Agentless Authentication) pane.
  4. Scroll left on the SSO Inactivity Duration bar to decrease or right to increase. The default is 8 hours. The maximum duration is 7 days. This will display a dialog box at the bottom right of the page.
  5. Click Trigger Update button for an immediate configuration update on all organization instances.

Excluding Device Categories

Zenconsole allows you to exclude some device categories from SSO authentication enforcement. When you exempt them from SSO authentication enforcement, they do not need to login to a IDP account to access the Internet.

To exempt device categories from SSO authentication enforcement, you may follow the next steps.

  1. Login Zenconsole and then select the organization you want to manage.

  2. Navigate to the Settings > Identity & Access Management page.

  3. Go to SSO Authentication on Gateways pane.

  4. Click +Exempt Device Category drop-down menu at the right side of the Exempt Device Categories pane. This will display available device categories.

  5. Select a device category that you want to be exempted, such as IoT, or Multimedia.

    Figure 5. Excluding Device Categories

  6. You may add as many device categories as you want. All exempted device categories will appear in the Exempt Device Categories pane.

    Figure 6. Exempted Device Categories List

Updating Exempted Device Categories List

You can easily remove a device category from the exempted device categories list and enable SSO authentication enforcement for it by following the next steps.

  1. Login Zenconsole and then select the organization you want to manage.

  2. Navigate to the Settings > Identity & Access Management page.

  3. Go to SSO Authentication on Gateways pane.

  4. All exempted device categories are displayed in the Exempt Device Categories pane.

  5. Click x icon at the right side of the device category that you want to remove from the list, such as Mobiles. This will display a dialog box for confirmation.

    Figure 7. Notification for Removing Category from Exempted List

  6. Click Remove to start SSO authentication enforcement for the selected device category.

Excluding Gateway

You may have multiple Zenarmor gateways and may not need to enable SSO authentication enforcement for clients behind specific gateways. You may easily exclude some gateways from SSO authentication enforcement by following the next steps.

  1. Login Zenconsole and then select the organization you want to manage.

  2. Navigate to the Settings > Identity & Access Management page.

  3. Go to SSO Authentication on Gateways pane.

  4. Click +Exempt Gateway drop-down menu at the right side of the Exempt Gateways pane. This will display available gateways in your organization.

  5. Select a gateway that you want to be exempted.

    Figure 8. Excluding Gateways

  6. You may add as many device categories as you want. All exempted gateways will appear in the Exempt Gateways pane.

    Figure 9. Exempted Gateways List

Updating Exempted Gateways List

You can easily remove a gateway from the exempted gateways list and enable SSO authentication enforcement for it by following the next steps.

  1. Login Zenconsole and then select the organization you want to manage.

  2. Navigate to the Settings > Identity & Access Management page.

  3. Go to SSO Authentication on Gateways pane.

  4. All exempted gateways are displayed in the Exempt Gateways pane.

  5. Click x icon at the right side of the gateway that you want to remove from the lis. This will display a dialog box for confirmation.

    Figure 10. Notification for Removing Gateway from Exempted List

  6. Click Remove to start SSO authentication enforcement for the selected gateway.

Last updated on by Zenarmor