Web Security: Single-Sign-On (SSO) Fallback Authentication Support
In large networks, without a good IP plan, there is a need to authenticate a lot of PCs.
Some are joined in the AD domain, some not, and if they want to use AD SSO for the http proxy as much as they can.. there is no chance to have a fallback authentication method if the PC that we want to authenticate is not on the AD server.
What would be enough is to have a fallback authentication method for Web Security if the AD SSO is activated on the ASG and the client PC does not have AD membership/credentials.
I'd like to add to this: Currently if a SSO method is selected, (I use eDir) and the user isn't found to be signed in, the backend eDir auth still functions but it prompts for user login via basic http auth. I'm not sure if AD SSO works the same, as I think the SSO operates differently. I would like to configure that to use the transparent portal auth, or even to fail, instead of defautling basic http.
In the 8.2 betas, there is a authentication client, in which you select transparent proxy, with agent authentication. If that fails (e.g. the client crashes on the pc, or it's a non-windows machine), then authentication fails with no chance to manually authenticate (even via basic http). I would like to see a configuration for a backup auth method in this case, so that if the first option fails (client in this case) we can still use a backend auth method to manually authenticate.
Bob Alfson commented
Perhaps you could explain the purpose of fallback authentication.
At present, if an IP is in a subnet that the HTTP/S Proxy authenticates with AD-SSO, then, if the browser with that IP is configured to use the Proxy and the user is not logged into the AD, the user's surfing will be determined by the Proxy Profile's 'Fallback action'. If the same browser is not configured to use the Proxy, then, if 'Web Security >> HTTP/S' 'Global' is in "Transparent" mode, the settings in that section will determine the user's surfing. If the global setting is not "Transparent", then the Packet Filter rules will determine the user's surfing.