Create a Post
Showing results for 
Search instead for 
Did you mean: 

Enforcing SSO for most users but still allowing Username / Password for others using Endpoint VPN

Hi team, 
I have enabled SSO for all our internal VPN users and this is now at a point where I wish to disable the username / password capability, however we have a few external clients who have access to our VPN too. Those external clients use accounts which are configured locally on the firewall.

Is there any way I can permit only people with local accounts access to use the old login feature whilst forcing all other users to use SSO only? 

I can't seem to find any logical way of achieving this and suspect I'm just missing something. 


0 Kudos
2 Replies

You can’t really force it, unfortunately, as both login options will be presented to everyone.
Only the users who are locally defined will be able to use the old method, though.

0 Kudos

I think I am missing something in my knowledge here.
How does the Username / Password option know who can log in?

Is it all users defined under users / identiies? This would mean everyone defined there can login (assuming correct creds), after which their access is controlled by policy?
I think this is making sense, and I think my ultimate answer will be to set up external user profiles for my very few current local users and then remove the username/password authentication method, or perhaps I could assign them a certificate and use that option.

0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events