Contents

Related Topics

Example Network Configurations for SSO

There are many ways that you can configure SSO on your network. This topic explains two example SSO configurations:

  • Network with a single domain
  • Network with two domains

For step-by-step configuration instructions, see Quick Start — Set Up Active Directory Single Sign-On (SSO). For a video demonstration of the configuration process, see the Getting Started with Single Sign-On video tutorial (9 minutes).

Single Domain

In this example, you configure SSO for a single domain and use this configuration:

  • SSO Agent and the Event Log Monitor are installed on the domain controller
  • Exchange Monitor is installed on a Microsoft Exchange server
  • SSO Client is installed on user computers on your network
  • Primary and backup SSO methods are specified

When a user on a network computer tries to connect to the Internet:

  1. The Firebox sends a request to the SSO Agent.
  2. The SSO Agent contacts the SSO component you specified as the primary SSO method.
  3. The SSO Agent contacts the SSO components you specified as backup SSO methods.
  4. The SSO Agent sends a response to the Firebox.
  5. If SSO authentication succeeds, the user connects to the Internet.

This diagram explains how this example SSO configuration works.

Diagram of a single domain configuration for SSO

For example, you can configure the SSO Agent to contact the SSO Client first for user credentials and group information. This means the SSO Client is the primary SSO method. You can configure the SSO Agent to contact Event Log Monitor and Exchange Monitor second and third, which means those components are backup SSO methods.

In this example, if the SSO Client is not available, the SSO Agent contacts Event Log Monitor. If the client computer is a Linux or mobile device, the SSO Agent contacts Exchange Monitor for the user logon and logoff information.

The SSO Agent and the Event Log Monitor do not have to be installed on the domain controller. You can install both the SSO Agent and the Event Log Monitor on another computer in the same domain, but they both must run as a user account in the Domain Users or Domain Admins security group.

Two Domains

In this example, you configure SSO for two domains and use this configuration:

  • SSO Agent is installed on only one domain controller in your network
  • SSO Client is installed on each client computer
  • Event Log Monitor is installed on a Windows member server in each domain in your network
  • Exchange Monitor is installed on your Microsoft Exchange Server

Domain A

  1. A user on a network computer joined to Domain A tries to connect to the Internet.
  2. The Firebox sends a request to the SSO Agent.
  3. The SSO Agent contacts the SSO component on Domain A that you specified as the primary SSO method.
  4. If Step 3 fails, the SSO Agent contacts the SSO components on Domain A you specified as backup SSO methods.
  5. The SSO Agent sends a response to the Firebox.
  6. If SSO authentication succeeds, the user can connect to the Internet.

Domain B

  1. A user on a network computer joined to Domain B tries to connect to the Internet.
  2. The Firebox sends a request to the SSO Agent.
  3. The SSO Agent contacts the SSO component on Domain  B you specified as the primary SSO method.
  4. If Step 3 fails, the SSO Agent contacts the SSO components on Domain  B you specified as backup SSO methods.
  5. The SSO Agent sends a response to the Firebox.
  6. If SSO authentication succeeds, the user can connect to the Internet.

This diagram explains how this example SSO configuration works.

Diagram of a multiple domain configuration for SSO

For example, you can configure the SSO Agent to contact the SSO Client first for user credentials and group information. This means the SSO Client is the primary SSO method. You can configure the SSO Agent to contact Event Log Monitor and Exchange Monitor second and third, which means those components are backup SSO methods.

In this example, if the SSO Client is not available, the SSO Agent contacts Event Log Monitor that is in the same domain as the client computer. If the client computer is a Linux or mobile device, the SSO Agent contacts Exchange Monitor for the user logon and logoff information.

See Also

About SSO

Choose Your SSO Components

Troubleshoot Single Sign-On (SSO)

About User Authentication

Set Global Firewall Authentication Values

Configure Active Directory Authentication

Install and Configure the Terminal Services Agent

Use Telnet to Debug the SSO Agent

About SSO Log Files

Give Us Feedback     Get Support     All Product Documentation     Technical Search