Quick Start — Set Up Active Directory Single Sign-On (SSO) (2024)

When you use the WatchGuard Active Directory Single Sign-On (SSO) solution, users on the trusted or optional networks provide their user credentials one time (when they log on to their computers) and are automatically authenticated to your Firebox. This topic summarizes how to set up WatchGuard Single Sign-On with the three most commonly used components of the WatchGuard SSOsolution:

  • SSOAgent — You must install the SSOAgent on your network to collect user login information and provide that information to the Firebox. The SSOAgent can collect user login information from the SSOClient, Event Log Monitor, and Exchange Monitor.
  • SSO Client — You can install the SSOClient on Windows and macOS computers on your network. The SSOClient runs in the background to collect user credentials, domain information, and group information to provide to the SSOAgent.
  • Event Log Monitor (ELM) — You can install the Event Log Monitor on a server in each network domain to collect user login information from the Windows security event log files from domain Windows computers that do not have the SSOClient installed.

It is not necessary for the SSO component versions to match each other or to match the version of Fireware OS on your Firebox unless otherwise specified. The exceptions are that the SSO Agent v12.5.4 supports Fireware v12.5.4 or higher only, and you cannot use SSO Client v12.5.4 with versions of the SSO Agent lower than v12.5.4.

We recommend that you install the latest available version of the SSO Agent, even if your Firebox runs an older version of Fireware.

For a complete description of all WatchGuard SSOcomponents, configuration options, and functionality, go to How Active Directory SSO Works.

This Quick Start procedure focuses on how to deploy SSOcomponents for SSO from computers that use the SSOClient. It also describes how to set up the Event Log Monitor as a secondary method to enable SSOfor Windows computers that do not have the SSOClient installed. Even if you install the Event Log Monitor, we recommend that you install the SSOClient on all Windows computers for the most reliable SSOdeployment.

Step 1 — Verify Prerequisites

Before you configure SSO for your network, verify that your network configuration supports all the necessary requirements.

Active Directory

  • You must have an Active Directory server configured on your local network.
  • Your Firebox must be configured to use Active Directory authentication.
  • Each user must have a user account on the Active Directory server.
  • Each user must log in with a domain user account for SSO to operate correctly. If users log in with an account that exists only on their local computers, their credentials are not verified and the Firebox does not recognize that they are logged in.
  • The SSO Agent and the Event Log Monitor must run as a user account in the Domain Users security group. Tip! We recommend that you add a user account on your Active Directory server for this purpose, and set the account password to never expire.
    The Domain Users account you select must have privileges to run services on the Active Directory server, to search the directory, and to search all other user audit information. To configure the correct permissions and settings, see Install the WatchGuard Single Sign-On (SSO) Agent and Event Log Monitor. We recommend that you do not select an account in the Domain Admins security group.
  • All computers from which users authenticate with SSO must be members of the Active Directory domain with unbroken trust relationships.

    To use Active Directory SSO with computers joined to your domain with Azure Active Directory, you must install v12.10.1 or higher of the WatchGuard Single Sign-On (SSO) Agent. This version of the agent supports hybrid environments, here a local Active Directory domain controller is used for authentication by the Firebox, and the computers are added to this domain with Azure AD.

  • macOScomputers must join the Active Directory domain before the SSO Client can be installed.
  • The Exchange Monitor must run as a user account in the Domain Admins security group.


  • TCP port 445 (port for SMB) must be open on the client computers.
  • TCP port 4116 must be open on the client computers where you install the SSO Client.
  • TCP port 4114 must be open on the server where you install the SSO Agent.
  • TCP port 4135 must be open on the server where you install the Event Log Monitor.
  • TCPport 4136 must be open on the server where you install the Exchange Monitor.

To test whether these ports are open, you can use the SSO Port Tester tool. For more information, see Troubleshoot SSO.

Event Logs

  • For the Event Log Monitorto operate correctly, you must enable audit logging on all Windows domain computers for the 4624 and 4634 logon and account logon events.
  • If your Windows network is configured for Fast User Switching, you must:
    • Enable audit logging on all Windows domain computers for events 4647, 4778, and 4779.
      This enables Event Log Monitor to operate correctly.
    • Install Event Log Monitor v11.10 or higher.
      The WatchGuard Authentication Gateway installer includes the option to install Event Log Monitor.
  • For Remote Desktop Protocol (RDP) users to use clientless SSO:
    • Event Log Monitor v11.10 or higher must be installed.
    • Microsoft events 4624 and 4634 must be generated on the client computers and contain Logon Type attributes. These attributes specify whether a logon or logoff event occurred on the local network or through RDP. Attributes 2 and 11 specify local logon and logoff events, and attribute 10 specifies an RDP logon or logoff event.

Microsoft .NET Requirements

  • For v12.3 or higher of the SSO Agent, Microsoft .NETFramework v4.0 or higher must be installed on the server where you install the SSO Agent.
  • For SSO Agent versions lower than v12.3, Microsoft .NETFramework v2.0–4.5 must be installed on the server where you install the SSO Agent.
  • For Microsoft Exchange Server 2010 and earlier, Microsoft .NETFramework v2.0 or higher must be installed on the server where you install the Exchange Monitor.
  • For Windows Server 2012 and higher, and Microsoft Exchange Server 2013 and higher, Microsoft .NETFramework 3.5 or higher must be installed on the server where you install the Exchange Monitor.

Step 2 — Install the WatchGuard SSOAgent and Event Log Monitor

You must install the WatchGuard SSOAgent. The Event Log Monitor component is optional, but is recommended as a backup method for the SSOAgent to collect user login information. To minimize the potential for connectivity issues between the SSO components, we recommend that you install both the SSOAgent and Event Log Monitor on the Active Directory domain controller. You can install them on any server in your network domain.

Fireware v12.2 or higher supports up to four SSOAgents for redundancy. In this Quick Start example, we install just one SSO Agent.

To install the SSO Agent and Event Log Monitor:

  1. Download the Authentication Gateway software from the Software Downloads page for your Firebox on the WatchGuard Software Downloads Center.
    The software you download, the WatchGuard Authentication Gateway Installer, includes the Single Sign-On Agent and Event Log Monitor components.
  2. On the ADdomain controller, run the WatchGuard Authentication Gateway Installer.
  3. Select the check boxes to install both the Single Sign-On Agent, and the Event Log Monitor components.
  4. Specify the domain user credentials that you want the WatchGuard Authentication Gateway service to use. The account must be a member of the Domain Users security group, and must have the privileges described in the Step 1 — Verify Prerequisites section of this topic.

After the installer finishes, you can see two new services started on the server:

  • WatchGuard Authentication Gateway (SSOAgent)
  • WatchGuard Authentication Event Log Monitor

For more detailed information about other installation options, go to Install the WatchGuard Single Sign-On (SSO) Agent and Event Log Monitor.

Step 3 — Configure the WatchGuard SSOAgent

In the SSOAgent Configuration Tool, you configure:

  • SSOAgent contacts settings
  • Active Directory domains for SSO

To configure the SSOAgent contacts settings:

  1. From the Windows start menu programs, select WatchGuard > Authentication Gateway > WatchGuard SSOAgent Configuration Tool.
  2. Log in with the default admin account credentials for the SSOAgent Configuration Tool:
    User Nameadmin
  3. In the SSOAgent Configuration Tool, select Edit > SSOAgent Contacts Settings.
  4. Adjacent to the SSOClient, select the Enabled check box to enable the SSOAgent to contact the SSOClient.
  5. Select the SSOClient in the list, and click Up to move it to the top of the list.
  6. Make sure Event Log Monitor is enabled as priority 2.
  7. In the Contact Domains list, specify one or more domains for the Event Log Monitor or the Exchange Monitor to contact for user login information. The domain name is case sensitive. For each domain, specify the IP address(es) for the server that run the ELMor EMcomponents.

Next, add a domain with settings for a user account that the SSO Agent can use to search your Active Directory server. We recommend that you create a specific user account on your Active Directory server with permissions to search the directory and with a password that never expires.

From SSOAgent Configuration Tools:

  1. Select Edit > Add Domain.
  2. In the Domain Name text box, type the name of the domain.
    The domain name is case sensitive. Make sure you type the domain name exactly at it appears on the Active Directory tab in the Authentication Server Settings on your Firebox.
    For example, type my-example.com.
  3. In the NetBIOSDomain Name text box, type the NetBIOS domain name.
    The NetBIOSdomain name is the Domain Name (pre-Windows 2000) setting in the properties for the domain on the Active Directory server.
  4. In the IPAddress of Domain Controller text box, type the IP address of the Active Directory server for this domain.
    If the SSOAgent is installed on the Active Directory server, you can use the loopback address,
  5. In the Port text box, type the port to use to connect to this server.
    The default port is 389.
  6. In the Searching User section, select an option for how to specify the user name.
  7. In the text box for the option you chose, type the user information.
    Make sure to specify a user who has permissions to query audit/directory information for any other Active Directory users. This can be the same user you specified to run the SSOAgent and Event Log Monitor, with a password that never expires.
  8. Type and confirm the password of the searching user.
  9. To add another domain, click OK&Add Next. Repeat Steps 1–8.

For more information about SSOAgent configuration options, go to Configure the Active Directory SSO Agent.

Step 4 — Install the SSOClient

The Single Sign-On Client is optional, but recommended for the most reliable SSO implementation. The SSOClient runs as a local system service on each user computer to collect the user login information for the user currently logged in to that computer. It requires no interaction from the user. For the most reliable SSO implementation, WatchGuard highly recommends that you use the SSO Client on computers that support it.

You can download the Single Sign-OnClients for Windows and macOS from the WatchGuard Software Downloads Center.

  • Because the SSO Client installer for Windows is an MSI file, you can use an Active Directory Group Policy to automatically install it when users log on to your domain from a Windows computer. For more information about software installation deployment for Active Directory group policy objects, see the documentation for your operating system.
  • If your Firebox is configured with multiple Active Directory domains, your users must install the SSO Client.
  • For a users with macOS to use the SSO Client, their computers must have joined the Active Directory server.

For details about how to install the SSOClient, go to Install the WatchGuard Active Directory SSO Client.

Step 5 — Enable and Configure Single Sign-On on the Firebox

After all the other components are in place, you can enable Single Sign-On on the Firebox.

To enable Single Sign-On, from Fireware Web UI:

  1. Select Authentication > Single Sign-On.
    The Single Sign-On page appears.
  2. Select the Enable Single Sign-On (SSO) with Active Directory check box.
  3. In the SSOAgent IPAddress text box, type the IPaddress of the server where you installed the SSOAgent.

To enable Single Sign-On, from Policy Manager:

  1. Select Setup > Authentication > Authentication Settings.
    The Authentication Settings dialog box appears.
  2. Select the Single Sign-On tab.
  3. Select the Enable Single Sign-On (SSO) with Active Directory check box.

After you enable Single Sign-On, you can add SSO exceptions. We recommend that you add SSOexceptions for all network devices that might try to sent traffic to the Internet and are not in the domain. These include network devices, such as:

  • Network servers
  • Print servers
  • Managed switches and routers
  • Networks or computers that are not part of the domain, such as guest networks
  • Users on your internal network who must manually authenticate to the Authentication Portal

For more information about how to enable SSO and configure SSOexceptions, go to Enable Active Directory SSO on the Firebox.

WatchGuard SSO Exchange Monitor is an optional component you can install to enable SSOfor network clients that use Linux, or mobile devices that run iOS, Android, or Windows Mobile. Exchange Monitor is used primarily for mobile client authentication, but you can also use it as a backup SSOconnection for computers that are not shared by multiple users.

For more information, go to Install the WatchGuard Active Directory SSO Exchange Monitor.

To troubleshoot SSO, review the list of requirements and verify your network servers and SSOcomponents are configured correctly.

Related Topics

About Active Directory Single Sign-On (SSO)

How Active Directory SSO Works

Getting Started with Single Sign-On video tutorial (9 minutes)

Example Network Configurations for Active Directory SSO

Troubleshoot Active Directory SSO

Give Us FeedbackGet SupportAll Product DocumentationTechnical Search

© 2024 WatchGuard Technologies, Inc. All rights reserved. WatchGuard and the WatchGuard logo are registered trademarks or trademarks of WatchGuard Technologies in the United States and other countries. Various other trademarks are held by their respective owners.

Quick Start — Set Up Active Directory Single Sign-On (SSO) (2024)


How to implement Microsoft single sign-on? ›

One-click SSO configuration steps
  1. Add the application from the Azure Marketplace.
  2. Select Single sign-on.
  3. Select Enable single sign-on.
  4. Populate the mandatory configuration values in the Basic SAML Configuration section.
Feb 26, 2024

How do I enable seamless sign-on? ›

Go to Dashboard > Tenant Settings. Go to the Advanced tab. Scroll to the Log In Session Management section. Locate Enable Seamless SSO.

Is Active Directory considered SSO? ›

AD and SSO are very different; one is an on-prem directory service — the authoritative source of identities, the other a cloud-based, web app identity extension point solution that federates the identities from a core directory to web applications.

How can we setup single sign-on and Active Directory synchronization? ›

Steps to enable Single Sign-on
  1. Step 1: Download and extract Microsoft Entra Connect files. ...
  2. Step 2: Import the Seamless SSO PowerShell module. ...
  3. Step 3: Get the list of Active Directory forests on which Seamless SSO has been enabled. ...
  4. Step 4: Enable Seamless SSO for each Active Directory forest.
Feb 12, 2024

How does single sign-on work with Active Directory? ›

How does SSO with Active Directory work whereby users are transparently logged in to an intranet web app?
  1. User makes request for some page.
  2. Server sees no session token and then request the client for some credentials.
  3. The clients browser without any intervention from the user provides some credentials to the server.
Jul 20, 2011

How does SAML work with Active Directory? ›

First, SAML passes authentication information – like logins, authentication state, identifiers, etc. – between the IdP (Active Directory) and the SP (cloud apps and web services). When a user tries to access a site, AD passes SAML authentication to the SP, who can then grant the user access.

How do I implement single sign in Office 365? ›

Configure SSO on with Secure Web Authentication
  1. Go to Office 365Sign onSettingsEdit.
  2. In Sign on Methods, select Secure Web Authentication.
  3. Select the appropriate option for username and password setup. See Secure Web Authentication.
  4. Map username format as explained in section Test provisioning.
  5. Click Save.

What is Microsoft seamless SSO? ›

Microsoft Entra seamless single sign-on (Microsoft Entra seamless SSO) automatically signs users in when they are on their corporate devices connected to your corporate network. When enabled, users don't need to type in their passwords to sign in to Microsoft Entra ID, and usually, even type in their usernames.

What is single sign on or seamless sign on? ›

Seamless Single Sign-on (SSSO) is a feature of Microsoft Entra Connect that can be used in conjunction with password hash synchronization (PHS) or pass-through authentication (PTA). Each of these alone provides “same sign-on”, but with SSO in use as well, users will often experience true single sign on.

How can I disable seamless SSO? ›

How can I disable Seamless SSO?
  1. Run Microsoft Entra Connect, choose Change user sign-in page and click Next.
  2. Uncheck the Enable single sign-on option. Continue through the wizard.

How to setup SAML with Active Directory? ›

To set up SAML, follow the steps below:
  1. Access your AD FS management console.
  2. Expand the Trust Relationships folder.
  3. Right-click Relying Party Trust and click Add Relying Party Trust…. ...
  4. Click Start on the wizard's Welcome screen.
  5. Choose Enter data about the relying party manually. ...
  6. Enter a display name, such as "KnowBe4".

How to use LDAP for SSO? ›

To add your LDAP directory as a Harness SSO provider, do the following:
  1. In your Harness Account, click Account Settings.
  2. Click Authentication.
  3. Select LDAP Provider. ...
  4. Enter a Name for your LDAP Provider.
  5. To use the LDAP SSO configuration for authorization, select Enable Authorization. ...
  6. Click Continue.

What is on premises Active Directory Sync for SSO? ›

Directory synchronization with SSO

A user signs in to their on-premises environment with their user account. When they go to Microsoft 365, they're either logged on automatically, or they sign in using the same credentials they use for their on-premises environment (domain\username).

How to implement single sign-on using Active Directory AWS? ›

In the AWS Directory Service console navigation pane, select Directories. On the Directories page, choose your directory ID. On the Directory details page, select the Application management tab. In the Application access URL section, choose Enable to enable single sign-on for Amazon WorkDocs.

Where do I find single sign-on enabled? ›

Classic: Setup | Manage Users | Profiles | Choose Profile name | Look for "Is Single Sign-On Enabled" under Administrative Permissions section.

Does Azure Active Directory support single sign-on? ›

Note: Single sign-on is available with the Basic, Plus and Premium subscription plans. To get started, you need a valid subscription to Azure AD.

Top Articles
Latest Posts
Article information

Author: Prof. Nancy Dach

Last Updated:

Views: 6577

Rating: 4.7 / 5 (57 voted)

Reviews: 80% of readers found this page helpful

Author information

Name: Prof. Nancy Dach

Birthday: 1993-08-23

Address: 569 Waelchi Ports, South Blainebury, LA 11589

Phone: +9958996486049

Job: Sales Manager

Hobby: Web surfing, Scuba diving, Mountaineering, Writing, Sailing, Dance, Blacksmithing

Introduction: My name is Prof. Nancy Dach, I am a lively, joyous, courageous, lovely, tender, charming, open person who loves writing and wants to share my knowledge and understanding with you.