Authentication: Multiple Single Sign-On (SSO) Servers
It would be nice to choose a server group with more than 1 SSO Server to authenticate HTTP profiles.
This feature was implemented in XG Firewall
Adrien Belcourt commented
AD Domain Trust works, but not in a good way. It does not work in a good way after 8.103. This problem was in the KIL list as "ID19479 8.202 user-/group mapping does not work with identical user names in different domains" but this KIL list entry is no long there in the current KIL list.
These are the steps we took to show the problem.
1. We create a new user on the PARIS domain controller
2. We created a new group on the PARIS domain controller
3. We added the new user to the new group on the PARIS dc
4. We created an identical group on the LONDON domain controller. NOTE we have not added a single user to this group.
5. We then added the LONDON group (with no users) to Astaro filtering.
6. The new user in the PARIS group can now surf using the LONDON group permissions because the PARIS and LONDON groups have the same name (even though they are on different DCs).
So if a company has 3 different Michaels on three different DCs, Astaro cannot tell the difference between them. So if they arrive with their laptops at the office, Astaro cannot tell the difference between a local Michael and a remote Michael.
It is the same if you have a few different groups with the same name like Active Directory Users, or Allowed Users on different domain controllers.
So AD Domain Trust works, but not in a good way.
Ralf Luithle commented
Having an AD Domain Trust between the AD's -> SSO will work
Vivek Rajput commented
yes it is very important
Very important to implement multiple servers and also Domains.
Adrien Belcourt commented
We lost to Bloxx on this feature. Bloxx can SSO authenticate very happily to multiple AD servers/domains. This is a pre-requisite for larger customers, who often have multiple divisions. In one case the IT for a healthcare trust had two hospital sites dealt with by two different AD servers (very normal). Another case we had a local government customer that had 7 AD domains/servers for different sites and schools. So this is a normal pre-requisite for larger customers.
Andrew Holdeman commented
I'm in need of this as well, where in my case one of the internal networks is running off of a 2000 domain and on a different NIC of the firewall the other network is running off a separate 2003r2 domain, being able to specify the Authentication server for Profiles would be spectacular.
Gunnar Klein commented
We have two separate ADirs with many users working side by side. It is always hard to explain, why one user has to authenticate, when his neighbour has not.
Sebastian Eichinger commented
We have more then one eDir server, I could chose more then one, but SSO works only with one. Therefore it would be grate to have a soluition for this single point of failure. Sebastian
I need this feature too. I've more than one Edir's, the one Edir can SSO and the other one must need the Edir-login for launch her services. It would be nice to integrate this in the AstaroSG.