Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.

Suggest an Idea...

Authentication: Single-Sign On for Astaro Authentication Agent

Expand the Astaro Authentication Agent to (optionally) use the currently logged on Windows credentials instead of manually entering credentials.

222 votes
Sign in
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)

    We’ll send you updates on this idea

    MichaelRMichaelR shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →


    Sign in
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      • Admin UserAdmin User commented  ·   ·  Flag as inappropriate

        I manage a mixed AD/eDir environment and this is a definite must. We're looking at alternate vendors simply because of this missing piece to the puzzle. Right now I'm stuck with 1 transparent filter profile for everybody and zero useful logs.

      • SeanCSeanC commented  ·   ·  Flag as inappropriate

        I work in a heavy leveraged Terminal Services Environment and have just purchased a UTM320 - this is a MUST feature - getting a user to double log-in is simply just a waste of time and a display that SSO is an incorrect name for the feature that should be correctly called Active Directory Integration.

      • thorstenthorsten commented  ·   ·  Flag as inappropriate

        and also allow to run the Sophos Authentication Agent to run in multi user environments WITHOUT admin rights. it is not ready for larger environments as it is now. no company grants admin privileges to users.

      • Joel AlfredoJoel Alfredo commented  ·   ·  Flag as inappropriate

        I agree this would be appreciated. It would be good also to be able to specify to the agent the UTM IP address. Right now, this agent only works if it´s connected in the same VLAN as the UTM. We have captured some traffic and it connects to the IP, and the UTM uses this IP to communicate to agents, but it only works in the same broadcast domain.

      • glovatoglovato commented  ·   ·  Flag as inappropriate

        i'm interested in this as well, right now a "client" that asks for credentials again is not a useful/valid option for a windows domain at all (i'll so far say it' useless as people will change passwords, mistype it in the AAA and all kinds of bad things), i was under the impression the AAA collected the logged in username and sent it to Astaro, but it annoys people with a popup asking for credentials...

      • Stephen NormanStephen Norman commented  ·   ·  Flag as inappropriate

        This would also be useful to see on OS X now that the authentication agent is going to be available in Sophos UTM 9.1.

      • Marcus SchenkMarcus Schenk commented  ·   ·  Flag as inappropriate

        We'd like this too, since AAA should be very easy for the end user and having to enter a password every login is annoying for them so they won't accept it. Acceptance would be greater if we stored the password, but in a policy based AD network where passwords are changed every x months you cannot have multiple users to always keep their stored passwords in sync. Other than that I dont know if it's a security risk to have this password stored, dont know what technique is used by sophos. So SSO for AAA would be highly appreciated!

      • adam.gabrieladam.gabriel commented  ·   ·  Flag as inappropriate

        Since eDir SSO is so broken (eDir's fault) this is still on the top of my needs list. Any chance this will ever happen?

      • Ludovic PenyLudovic Peny commented  ·   ·  Flag as inappropriate

        Maybe a Winlogon compatibility to allow to the agent to catch the credentials at the login prompt.
        Eventually the SAA can also be a feature of the UTM Endpoint.

      • Kris HansonKris Hanson commented  ·   ·  Flag as inappropriate

        This would add the flexibility one of our customers requires...otherwise it is a feature we cannot look to at this time...

      • AlexisAlexis commented  ·   ·  Flag as inappropriate

        This way this authentication could be used also for other features in the NSG : associated users to FW rules for example, include authentication for ssh connections, ...

      • MatiasMatias commented  ·   ·  Flag as inappropriate

        If the AAA don't have Multi-user support the Astaro firewall is useless for schools...

      • Bob AlfsonBob Alfson commented  ·   ·  Flag as inappropriate

        This is especially important to opportunities with larger companies.

        We need to be able to use "Backend Group (User Group Network)" objects in Firewall, Application Control, QoS, etc. rules without syncing users to the ASG.

      • Blackbird_71Blackbird_71 commented  ·   ·  Flag as inappropriate

        In the world of Microsoft and AD domains, this feature is a must if any web filtering is to be logged appropriately. Please help make this more of a priority.

      • Stephen WStephen W commented  ·   ·  Flag as inappropriate

        It would also be nice if the Astaro Agent installed as a Windows Service to Authenticate the logged on user. I have workstations with multiple users and each one has to install the Astaro Agent as it installs in the Users Profile.

      • CANDERSONCANDERSON commented  ·   ·  Flag as inappropriate

        I know a certain other product does this by running an agent on the DC - it detects event log entries that map IP address to username based on logon and logoff. The agent then sends those to the web filter appliance. This is probably not perfect, but seems to run alot more smoothly than what we have astaro doing today. It would be alot more transparent to the users too.

      • Andreas GunleikskaasAndreas Gunleikskaas commented  ·   ·  Flag as inappropriate

        Just starting to look at AAA now, but it would be great if it could use windows/domain credentials.
        If the client should be distributed on a network the installation should be possible to run silent. Maybe it is possible already, but havent found any info about it yet.

      Feedback and Knowledge Base

      icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-lightbulbCreated with Sketch.