Wazuh on-prem ADFS SSO
289 views
Skip to first unread message
Павел Покровский
May 15, 2023, 4:22:55 AM5/15/23
to Wazuh mailing list
Hi.
I know this is possible to implement SSO via Azure AD for Wazuh.
I wonder if it is possible to do the same for on-prem Active Directory deployment?
There're docs on how to implement LDAP-based authentication, but this is not exactly what we're trying to achieve: completely seamless SSO.
Can anyone please share their wisdom regarding this? Thank you!
Juan Cabrera
May 15, 2023, 6:04:21 AM5/15/23
to Wazuh mailing list
Hello,
One common approach is to use Azure AD Connect, a tool that synchronizes user identities between on-premises AD and Azure AD. By configuring Azure AD Connect with the appropriate settings, you can establish a trust relationship between your on-premises AD and Azure AD, allowing SSO.
To achieve seamless SSO, you can configure Azure AD Connect to use the "Pass-through Authentication" or "Password Hash Synchronization" methods. These methods synchronize password hashes from on-premises AD to Azure AD, enabling users to sign in to cloud-based services, such as Wazuh, using their on-premises AD credentials.
Additionally, you can use Active Directory Federation Services (ADFS) in conjunction with Azure AD to provide SSO for on-premises applications, including Wazuh. ADFS acts as a federation service, allowing users to authenticate against their on-premises AD and obtain a security token for accessing cloud resources.
By configuring Azure AD as a relying party trust in ADFS, you can establish trust between ADFS and Azure AD, enabling SSO between on-premises AD and cloud-based services like Wazuh.
It's worth noting that implementing SSO with on-premises AD and Azure AD can involve complex configuration and may require additional infrastructure components, such as ADFS servers or Azure AD Connect. Therefore, it's recommended to carefully review the official Microsoft documentation.
Regards !
One common approach is to use Azure AD Connect, a tool that synchronizes user identities between on-premises AD and Azure AD. By configuring Azure AD Connect with the appropriate settings, you can establish a trust relationship between your on-premises AD and Azure AD, allowing SSO.
To achieve seamless SSO, you can configure Azure AD Connect to use the "Pass-through Authentication" or "Password Hash Synchronization" methods. These methods synchronize password hashes from on-premises AD to Azure AD, enabling users to sign in to cloud-based services, such as Wazuh, using their on-premises AD credentials.
Additionally, you can use Active Directory Federation Services (ADFS) in conjunction with Azure AD to provide SSO for on-premises applications, including Wazuh. ADFS acts as a federation service, allowing users to authenticate against their on-premises AD and obtain a security token for accessing cloud resources.
By configuring Azure AD as a relying party trust in ADFS, you can establish trust between ADFS and Azure AD, enabling SSO between on-premises AD and cloud-based services like Wazuh.
It's worth noting that implementing SSO with on-premises AD and Azure AD can involve complex configuration and may require additional infrastructure components, such as ADFS servers or Azure AD Connect. Therefore, it's recommended to carefully review the official Microsoft documentation.
Regards !
Павел Покровский
May 15, 2023, 6:23:30 AM5/15/23
to Wazuh mailing list
Hello, Juan,
Thank you for your expertise. I understand impementing SSO could be a challenge but it would seem like a nice solution for our environment. May I clarify, are you saying that implementing AD FS strictly with on-prem AD without using Azure AD is not possible at all?
понедельник, 15 мая 2023 г. в 13:04:21 UTC+3, Juan Cabrera:
Juan Cabrera
May 15, 2023, 7:46:13 AM5/15/23
to Wazuh mailing list
Hi,
If you want to achieve SSO for on-premises applications using Active Directory Federation Services (ADFS), it is possible to do so without involving Azure AD. ADFS is a component of Windows Server that provides federated authentication and SSO capabilities.
By deploying ADFS in your on-premises environment, you can establish trust relationships with external identity providers, including other ADFS instances or third-party identity providers. This allows users to authenticate against their on-premises AD and obtain a security token that can be used to access applications that support federated authentication, such as Wazuh.
ADFS can act as an identity provider and issue security tokens based on user authentication against on-premises AD. These tokens can then be used to access applications without the need for further authentication.
It's important to note that ADFS requires careful planning, configuration, and infrastructure setup. You need to set up trust relationships with relying parties (such as Wazuh) and ensure proper certificate management and federation configurations.
While Azure AD provides additional capabilities and integration options, it is not mandatory for implementing SSO with ADFS and on-premises AD. ADFS can operate independently to provide SSO for on-premises applications.
If you choose to use Azure AD along with ADFS, it can provide additional features like hybrid identity management, conditional access policies, and integration with cloud-based applications. However, these are optional and depend on your specific requirements.
In summary, it is possible to implement SSO using ADFS and on-premises AD without involving Azure AD. ADFS can act as the federation service, enabling SSO for on-premises applications like Wazuh, however, it is something I have not tested. I will investigate to see if I can provide you with additional information on this.
If you want to achieve SSO for on-premises applications using Active Directory Federation Services (ADFS), it is possible to do so without involving Azure AD. ADFS is a component of Windows Server that provides federated authentication and SSO capabilities.
By deploying ADFS in your on-premises environment, you can establish trust relationships with external identity providers, including other ADFS instances or third-party identity providers. This allows users to authenticate against their on-premises AD and obtain a security token that can be used to access applications that support federated authentication, such as Wazuh.
ADFS can act as an identity provider and issue security tokens based on user authentication against on-premises AD. These tokens can then be used to access applications without the need for further authentication.
It's important to note that ADFS requires careful planning, configuration, and infrastructure setup. You need to set up trust relationships with relying parties (such as Wazuh) and ensure proper certificate management and federation configurations.
While Azure AD provides additional capabilities and integration options, it is not mandatory for implementing SSO with ADFS and on-premises AD. ADFS can operate independently to provide SSO for on-premises applications.
If you choose to use Azure AD along with ADFS, it can provide additional features like hybrid identity management, conditional access policies, and integration with cloud-based applications. However, these are optional and depend on your specific requirements.
In summary, it is possible to implement SSO using ADFS and on-premises AD without involving Azure AD. ADFS can act as the federation service, enabling SSO for on-premises applications like Wazuh, however, it is something I have not tested. I will investigate to see if I can provide you with additional information on this.
Reply all
Reply to author
Forward
0 new messages