Issue: Requirements to Setup AD SSO with Securly
Environment: In School DNS Customers with Windows Server 2008R2 and above.
Cause: You do not want users to have to login Securly when on a Windows or Mac computer. Securly has used only one identity provider (Google Apps) and did not offer support for Microsoft's Active Directory.
Solution: Setup and IIS Server for Securly to use as an Identity Provider for your Windows and OSX computers. You can enable forced logins using the Securly admin tool. Under Settings make sure to check Forced Logins.
This feature requires the use of Google Cloud Directory Sync (GCDS) to sync your AD installation with G Suite in the cloud.
This feature requires an IIS server on the local intranet running on Windows Server 2008R2 and above.
Force login enabled in the Securly global settings.
All Windows and Mac computers are joined to the domain.
Active Directory username must match the first part of the email address in the Google domain.
It is recommended not to install Securly AD SSO on a server already running an IIS.
You should deploy the appropriate script to your environment.
You will need to allow the execution of unsigned scripts:
At an elevated/Administrative PowerShell enter:
" Set-ExecutionPolicy Unrestricted "
to achieve this. Then run the "setup.ps1" from the correct folder matching your OS.
The script will install IIS, Enable Windows Authentication & set permissions.
Once deployed verify that the site and file are accessible from clients on your network in the format:
No dots (No FQDN) can be used in the IIS server path.
Enable AD SSO in the Securly UI
In the Securly User Interface enable the Active Directory setting.
Policy Editor > Global Settings > Enable Active Directory SSO
If you have several G Suite Domains you may enter multiple mapping, all should point to your Active Directory Domain.
On a client machine or the Securly AD SSO IIS server, try going to the same URL as entered into the Securly UI. (http://servername/securlysso/securlysso.aspx) This should change the URL to be something similar to http://servername/securlysso/?ad_token=domain\username
If you are still having problems try going to the debug page. (http://servername/securlysso/debug.aspx) This should provide information regarding authentication, domain, and username.