We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Email Security Gateway

How do I configure Single Sign-On for the Barracuda Spam & Virus Firewall?

  • Type: Knowledgebase
  • Date changed: one year ago
Solution #00001516

Scope:
Barracuda Spam & Virus Firewalls models 400 and above, firmware versions 3.3 and above.

Answer:
Single Sign-On allows you to configure the Barracuda Spam & Virus Firewall to authorize user accounts using an LDAP, POP, or RADIUS server (when they log in to check their per-user quarantine accounts). This feature is available in the Barracuda Spam & Virus Firewall 400 and above. Its purpose is to use the same user login names and passwords as are already configured on your LDAP, POP, or RADIUS server. The Barracuda must authenticate with the server upon each login attempt.

Navigate to the Advanced > Single Sign-On page. Once there, set the Login Realm Selector to Enable. This will allow a user to log in with either just a username or their full email address, using their LDAP/RADIUS/POP password for login authentication.

When a user logs in, if the Login Realm Selector is enabled, the Barracuda will attempt to authenticate with the realm that user has selected. If the initial authentication attempt using the full email address fails against the specified realm, then additional attempts will be made against the specified realm, the default realm, and the local Barracuda Spam & Virus Firewall using either just the username portion of the specified email address or with the default domain appended to it (where necessary).

If the Login Realm Selector is disabled, the Barracuda will first try to authenticate with the specified realm (the Realm Name specified on the Domains > Edit Domain page), then the default realm (should one be specified), and then the local realm in the same manner as described above.

The Local Login Realm Name option allows you to change the appearance (display name) for Local authentication, which means using the password stored on the Barracuda Spam & Virus Firewall. Passwords for accounts of this type can only be changed locally on the Barracuda Spam & Virus Firewall.

The bottom heading, Advanced Single Sign-On Configuration, is where you specify which remote servers to use for LDAP, POP, or RADIUS authentication. One 'realm' corresponds to one authentication server, but may encompass multiple domains. Please note:
  • Users will be unable to log in with only their username if the usernames are not unique across all domains for a given realm; their entire e-mail address will be required.
Additional Notes:
To add a customized local realm, configure the following options:
  • Specify the local realm name as you would like it to appear on the login page.
  • Select Local from the Authentication Type drop-down menu.�
  • Leave the remaining fields blank.
  • Ensure that the associated domains have specified this realm on their Domains > Edit Domain pages.
To add an LDAP server for authentication, configure the following options:
  • Specify your realm name as it will appear on the login page.
  • Select LDAP from the Authentication Type drop-down menu.�
  • Enter the IP address or hostname of your LDAP authentication server as the Authentication Host.�
  • Specify the port on which to connect to the LDAP server, typically 389 or 3268.�
  • Add the format that the Barracuda Spam & Virus Firewall should use to attempt the bind to the LDAP server as a given user in the Username Template field (for example: cn=__USERNAME__,dc=<yourdomainnamehere>,dc=com). If you are unsure of what to put here, please consult your LDAP server, as the syntax is specific to your LDAP server. The Barracuda Spam & Virus Firewall interprets the __USERNAME__ variable at login time.
  • Ensure that the associated domains have specified this realm on their Domains > Edit Domain pages.
To add a POP server for authentication, configure the following options:
  • Specify your realm name as it will appear on the login page.
  • Select POP from the Authentication Type drop-down menu.�
  • Enter the IP address or hostname of your POP authentication server as the Authentication Host.�
  • Specify the port on which to connect to the POP server, typically 110.�
  • Leave the Username Template field blank.�
  • Ensure that the associated domains have specified this realm on their Domains > Edit Domain pages.
To add a RADIUS server for authentication, configure the following options:
  • Specify your realm name as it will appear on the login page.
  • Select RADIUS from the Authentication Type drop-down menu.�
  • Enter the IP address or hostname of your RADIUS authentication server as the Authentication Host.�
  • Specify the port on which to connect to the RADIUS server, typically 1812.�
  • Enter the RADIUS 'shared secret' into the Username Template field.
  • Ensure that the associated domains have specified this realm on their Domains > Edit Domain pages.
If authentication with a specific realm fails, be sure to check the specified IP or hostname, port number, and shared secret or bind string.

Link to This Page:
https://campus.barracuda.com/solution/50160000000GSoZAAW