topic Re: Enforcing SSO for most users but still allowing Username / Password for others using Endpoint VP in SASE and Remote Access

Enforcing SSO for most users but still allowing Username / Password for others using Endpoint VPN

nzmatto1 — Thu, 24 Nov 2022 20:40:15 GMT

Hi team,
I have enabled SSO for all our internal VPN users and this is now at a point where I wish to disable the username / password capability, however we have a few external clients who have access to our VPN too. Those external clients use accounts which are configured locally on the firewall.

Is there any way I can permit only people with local accounts access to use the old login feature whilst forcing all other users to use SSO only?

I can't seem to find any logical way of achieving this and suspect I'm just missing something.

Thanks

Re: Enforcing SSO for most users but still allowing Username / Password for others using Endpoint VP

PhoneBoy — Fri, 25 Nov 2022 20:15:30 GMT

You can’t really force it, unfortunately, as both login options will be presented to everyone.
Only the users who are locally defined will be able to use the old method, though.

Re: Enforcing SSO for most users but still allowing Username / Password for others using Endpoint VP

nzmatto1 — Sat, 26 Nov 2022 04:08:23 GMT

Thanks.
I think I am missing something in my knowledge here.
How does the Username / Password option know who can log in?

Is it all users defined under users / identiies? This would mean everyone defined there can login (assuming correct creds), after which their access is controlled by policy?
I think this is making sense, and I think my ultimate answer will be to set up external user profiles for my very few current local users and then remove the username/password authentication method, or perhaps I could assign them a certificate and use that option.