Active Directory - SSO

[BeanAnimal]

As I mentioned in another thread, I am evaluating this platform as a replacement for my business customers.

My initial research shows that the only AD-sync that can be done is manually... While pfSense and most other enterprise platforms offer an AD sync option.

I saw a thread here with conversation between and end user and maybe Franco, where the value of an automatic or real-time sync was questioned...

Quite simply put - I do not know any SMB, mid or enterprise admin that wants to manually sync a firewall to AD every time a users is added or a security group or OU is changed.. let alone every time a user changes their AD credentials. That is insane!  Unless I am missing something, that is the case here.

In most business networks, AD is used and AD credentials are reset regularly, most often by end users. If this firewall is used as the VPN concentrator, then user's will be constantly locked out until a resync is done or user's are manually added to the firewall....

Honest question (no disrespect meant to anybody). Is this an honest business product, or a fancy home firewall/router targeted at tech savvy bit twiddlers tired of DD-WRT or mad at pfSense for selling out?
 

[Fasio]

My initial research shows that the only AD-sync that can be done is manually... While pfSense and most other enterprise platforms offer an AD sync option.

In most business networks, AD is used and AD credentials are reset regularly, most often by end users. If this firewall is used as the VPN concentrator, then user's will be constantly locked out until a resync is done or user's are manually added to the firewall....

Previously, there was indeed such a problem associated with both the Active Directory product itself and the server part, but the solution can be an additional protection in the form of two-factor authentication using one-time passwords using the adfs method. This method also works on adfs server which can act as a guarantor of such protection. Then you do not have to do manual synchronization and remove locks because all users will be securely logged in and have the same adfs sso support in the system. For this reason, I advise you to consider this analogy.

[mimugmail]

The sync is only for creating the user locally, password is not stored on OPN, so a Change will work transparently.

[bartjsmit]

Quite simply put - I do not know any SMB, mid or enterprise admin that wants to manually sync a firewall to AD every time a users is added or a security group or OU is changed.. let alone every time a user changes their AD credentials. That is insane!  Unless I am missing something, that is the case here.

In most business networks, AD is used and AD credentials are reset regularly, most often by end users. If this firewall is used as the VPN concentrator, then user's will be constantly locked out until a resync is done or user's are manually added to the firewall....

No ISO worth their salt would allow you to connect directly to AD from a security device. The protocol to use is RADIUS and OPNsense supports it for authentication. https://docs.opnsense.org/manual/how-tos/user-radius.html

Bart...