User Management
608
SonicOS Enhanced 4.0 Administrator Guide
User names are returned from the authorization agent running the SSO Agent in the format
<domain>/<user-name>. For locally configured user groups, the user name can be configured
to be the full name returned from the authorization agent running the SSO Agent (configuring
the names in the SonicWALL security appliance local user database to match) or a simple user
name with the domain component stripped off (default).
For the LDAP protocol, the <domain>/<user-name> format is converted to an LDAP
distinguished name by creating an LDAP search for an object of class “domain” with a “dc”
(domain component) attribute that matches the domain name. If one is found, then its
distinguished name will be used as the directory sub-tree to search for the user’s object. For
example, if the user name is returned as “SV/bob” then a search for an object with
“objectClass=domain” and “dc=SV” will be performed. If that returns an object with
distinguished name “dc=sv,dc=us,dc=sonicwall,dc=com,” then a search under that directory
sub-tree will be created for (in the Active Directory case) an object with “objectClass=user” and
“sAMAccountName=bob”. If no domain object is found, then the search for the user object will
be made from the top of the directory tree.
Once a domain object has been found, the information is saved to avoid searching for the same
object. If an attempt to locate a user in a saved domain fails, the saved domain information will
be deleted and another search for the domain object will be made.
The SonicWALL security appliance polls the authorization agent running the SSO Agent at a
configurable rate to determine when a user has logged out. Configurable user session limits,
inactivity timers, and user name request polls are other methods to determine user logout
status. Upon user logout, the authentication agent running the SSO Agent sends a User Logged
Out response to the SonicWALL security appliance, confirming the user has been logged out
and terminating the SSO session.
How Does SonicWALL SSO Agent Work?
The SonicWALL SSO Agent can be installed on any workstation with a Windows domain that
can communicate with clients and the SonicWALL security appliance directly using the IP
address or using a path, such as VPN. For installation instructions for the SonicWALL SSO
Agent, refer to the“Installing the SonicWALL SSO Agent” section on page 643. The SonicWALL
SSO Agent only communicates with clients and the SonicWALL security appliance. SonicWALL
SSO Agent uses a shared key for encryption of messages between the SSO Agent and the
SonicWALL security appliance. The shared key is generated in the SSO Agent and the key
entered in the SonicWALL security appliance during SSO configuration must match the SSO
Agent-generated key exactly.