In order for the login button to function a number of prerequisites need to be completed.
1. Login page URL needs to be named correctly
The login page needs to be a URL, not an IP address and needs to be a valid FQDN, not a short hostname. This means when a user is redirected to the login page the redirect should be a hostname such as:
- smoothwall.local
- smoothwall.school.sch.uk
- smoothwall.school.org
The redirect should not be to:
- smoothwall
- webfilter
- 10.10.10.1
2. Use the SSL Login page
The Login with Azure login will only work on the SSL Login Page, and not on the non-SSL login page.
The authentication policy can be checked under Web proxy » Authentication » Manage policies.
Client devices will need to have the appropriate certificate installed to be able to get to the SSL login page.
The Smoothwall can be setup to use the same Certificate Authority as used for HTTPS Inspection so distributing this will allow for access to the SSL Login page and for use with HTTPS Inspection.
Alternatively, a real-world certificate can be installed onto the Smoothwall which is valid for the hostname of the Smoothwall. A wildcard certificate can be used if available. This can be used to access the Login page, however the HTTPS Inspection certificate will still need to be distributed if HTTPS Inspection is enabled.
The certificates are managed on the Smoothwall under System » Certificates » Certificates for services.
3. msauth.net or Office365 needs to be in Authentication Exceptions
The SSL Login page needs to pull down files from msauth.net to function. msauth.net will need to be in a category that is allowed in Authentication Exceptions. Authentication Exceptions can be found under Web proxy » Authentication » Exceptions. Office365 contains this domain so if this is in Authentication Exceptions then no further changes are necessary. If nothing happens when the Azure Login button is clicked on the SSL Login page then its likely this the domain has not be setup correctly in Authentication Exceptions.
4. Link the Smoothwall to Azure
The article Adding Azure Directory explains how to register an application in Azure. This may have previously been setup.
Additional settings need to be configured for the SSL Login Page to function.
In Azure Directory (http://www.portal.azure.com/), select your Azure Active Directory.
Select App Registrations from the sidebar.
Click on the Application you need to amend.
Click on Authentication in the sidebar.
Click Add a Platform and Choose Single-Page application
In the Redirect URIs box type https://smoothwall.local:442/redirect where smoothwall.local is the hostname where users are asked to login. This can be found on the Smoothwall under System » Preferences » Hostname
Click Configure to complete the URI setup.
Whilst still under Authentication settings in Azure, confirm the following settings…
Access tokens (used for implicit flows) is not ticked
ID tokens (used for implicit and hybrid flows) is not ticked
Supported account types is set to Multi-Tenant
Save any changes.
5. Setup the SSL Login Page
On the Smoothwall navigate to Services » Authentication » Azure
Tick the Azure Sign-In button box.
Add the Client ID and Client Secret obtained when setting up the Application in Azure. Check that the Client Secret is the Client Secret Value and not the Client Secret ID. (i.e. looks more like a password and not like a UUID)
6. Testing
Test the login by visiting the Smoothwall login page at https://smoothwall.local:442/clogin (replacing smoothwall.local with the hostname of your Smoothwall).
You may have to confirm the permissions by following the prompts from Azure as a one-time confirmation.