Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

LDAP Digest Authentication

The LDAP digest authentication method, which is based on the LDAP authentication method, uses a shared secret known on both sides of the authentication process:

  • User requesting web access with a browser on a client of Secure Web Gateway

  • Secure Web Gateway.

Secure Web Gateway uses its proxy functions to intercept the request to enable authentication and further filtering under the configured web security policy.

Unlike with simpler authentication methods, such as basic authentication, no password is sent directly from the browser to Secure Web Gateway. Instead the password is a part of the shared secret that is known on both sides of the authentication process. The process goes on then as follows:

  • A hash value is calculated for the shared secret and several additional parameters on the client.

  • The value is transmitted to Secure Web Gateway, which calculates this value again using its instance of the shared secret, to see if the result is identical. If it is, the user is authenticated.

The hash value that is transmitted from the client to Secure Web Gateway is also referred to as digest. Secure Web Gateway retrieves the shared secret that it uses to recalculate the hash from an LDAP server.
 

Calculating a Hash for LDAP Digest Authentication

You can configure one of the following methods for calculating a hash when LDAP digest authentication is performed in an authentication process on Secure Web Gateway.

  • MD5

  • SHA-256

Before the client sends the hash, Secure Web Gateway sends a request for authentication to the client, including a so-called nonce (number only once), which is a number that is randomly created on Secure Web Gateway. It is one of the parameters to be used in addition to the shared secret for calculating the hash.

The full list of parameters used for calculating the hash includes:

  • User name (part of the shared secret)

  • Realm name (part of the shared secret)

  • Password (part of the shared secret)

  • Nonce
  • HTTP request sent from the client

  • URL for the requested destination in the web

Configuring LDAP Digest Authentication on Secure Web Gateway

To configure LDAP digest authentication on Secure Web Gateway, the following is required:

  • LDAP authentication must have been configured as the general authentication method on Secure Web Gateway.

  • The realm name must be configured as part of the common authentication settings on Secure Web Gateway. This name must also be used for the shared secret.

  • You must configure the following parameters for LDAP digest authentication:

    • Enabling of LDAP digest authentication

    • Name of the attribute on the LDAP server that stores the authentication hash

    • Maximum number of times that a nonce can be used

    • Maximum time that a nonce can be used

Optionally, you can do the following.

  • Allow only LDAP digest authentication as an authentication method under the current settings

    When configuring other authentication settings, you could, however, still allow other authentication methods, for example, the User database method with basic authentication.
     
  • Let a check be performed for the URL that a client sends as a parameter for calculating the hash

    This URL should be te same as the URL that this client sends in its request for accessing a particular destination in the web.

    Otherwise successfully passing digest authentication, based on identical hash values, might allow a user to access a destination that was not requested. So if the result of the check is that both URLs are not the same, the request is blocked.

    As the browsers that are used on clients for sending this information use different URL formats, this check might fail, however, due to the formatting problem, even if two URLs are really the same. For this reason, the URL check is optional.

The realm name that is used for the shared secret is configured under Common Authentication Parameters, which is a section that is available under every authentication method at the beginning of the Authentication settings.

The parameters for LDAP digest authentication are configured on Secure Web Gateway as part of the settings for the Authentication module (or engine).

When LDAP is selected as the general authentication method at the beginning of these settings, a section named Digest Authentication becomes available after the section for other LDAP specific parameters.

  • Was this article helpful?