By Mark Waldstein, LiveSecurity Content Specialist, WatchGuard Technologies
[Editor's Note: In the March, 2008 edition of my podcast Radio Free Security: Firebox Special, WatchGuard's lead technical trainer Kyle Porter told our listeners all about Single Sign-On, a new feature in Fireware Version 10. It's available on any WatchGuard appliance that can run Version 10, including our e-Series Fireboxes and our Edge product line. I've summarized Kyle's descriptions here, for those who prefer reading to listening; or, for those who've heard the podcast and want some backup documentation. --Mark]
Single Sign-On should be seen as a part of the larger authentication setup on Fireboxes. Before SSO, users could authenticate to the firewall, either as a specific user or as a member of a group. The network administrator could restrict access to particular services, or apply particular WebBlocker rules, to users who were authenticated. You, the administrator, could also integrate that authentication with your existing domain controller (such as an Active Directory server), but there was a limitation: End users had to affirmatively authenticate to the firewall using a web browser. Whether or not they were logged onto their Active Directory domain was unimportant to the firewall; it still needed them to prove who they were by directing our web app to the firewall.
So, if you had a hundred users on your network, all one hundred of them had to know how to get to a particular web page, and what to type when they got there. (In most cases, they had to enter the same username and password they had already entered when they logged onto the network that morning.) This process also meant that you probably spent more time than you wanted in educating users how to do that. So, it was probably not our most popular feature. Admins really liked the results…but that first week could be a little painful for them.