SSO API Reference Guide
SSO API Reference Guide
SSO API Reference Guide
Reference Guide
Contents 1
SSO Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Other Aspects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Use with an External Authentication Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Backward Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
SonicWall Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
About This Document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Topics:
• Description
• Terms
• Other Aspects
Description
This SSO (Single Sign‐On) API allows external third‐party devices, software or scripts to pass user login/logout
notifications directly to the SonicWall firewall for SSO.
The architecture of the API is designed to be simple, flexible and easy to use for scripting by customers, while
still being robust and fully secure. It is based on the REST (REpresentational State Transfer), or RESTful,
architecture. This is a loosely defined mechanism for creating, reading and updating web resources using HTTP
methods (POST, GET, DELETE, and so forth). In the case of this API, those resources are the users logged into the
firewall. The API supports the methods POST to add users (log them in) and DELETE to delete them (log them
out), plus the OPTIONS request for clients to query information about the API.
Third‐party clients that have been enabled to do so on the SonicWall firewall can use the API. It needs to send
HTTPS requests to the API indicating user logins and user logouts. The SonicWall firewall can then apply
configured, per‐user policies for access rights, which may include user group memberships supplied by either
the API or looked up via LDAP. Refer to Configuration for more information.
REST supports the request content being either XML or JSON. XML is the default, but JSON is often the preferred
choice since it is simpler and more compact. In this API, the SonicWALL firewall supports both XML and JSON, so
the you can choose which to use.
The information in this document forms a guide for using the API and for writing client‐side software or scripts
for it. Sample scripts that can be used as a reference are available on request.
CSRF Cross Site Request Forgery. The sending of malicious requests by malware that
can generate and send such requests from the victim’s own computer.
JSON JavaScript Object Notation. A syntax for storing and exchanging data in a format
very similar to JavaScript Objects that is both human and machine readable.
REST Representational State Transfer Architecture. Architecture for simple and
efficient stateless access to web resources using HTTP methods.
REST API or RESTful API An API for clients to access or update resources on a web server using the REST
architecture with XML or JSON data. The two terms are interchangeable.
SSO Single sign‐on. The ability of the SonicWall firewall to authenticate users
sending traffic through it in a way that is transparent to those users; that is, the
users don’t need to go through any additional login process to identify
themselves to the firewall.
XML Extensible Markup Language. A syntax for storing and exchanging data in a
format that is both human and machine readable.
Other Aspects
Other features of the SSO API include:
• Use with an External Authentication Page
• Backward Compatibility
Backward Compatibility
This document specifies Version 1 of the SSO API. Although the API may be changed, enhanced or extended in
the future, such future versions of the API are required to retain backwards compatibility with existing clients.
So long as a client conforms to the API as specified here, your current API should be able to send requests to any
future version of the SonicWall firewall and have them operate as detailed here.
Topics:
• Request Format
• Content Format
• Responses
• Persistent Connections
Request Format
Messages passed over the SSO API are standard web HTTP requests. They are sent over HTTPS to the firewall’s
web server, forming a REST‐conformant API as described here.
REST requires that the URI in a request identifies a collection of resources being read or added to or, in a request
for an existing resource, that it identifies the specific resource that it is targeting. In this API, the collection is all
the logged‐in users and the resource is a specific user.
The URI begins with a path that identifies the web service and/or collection (SSO and users, respectively). For
requests for an existing resource (user) that is followed by an identifier for the resource, that can be anything
which uniquely identifies it. The initial request line in the HTTP header of an API request gives the method, its
accompanying URI, and identifies a user by his or her IP address:
POST api/sso/user HTTP/1.1 To log in a user (with the IP address given in the
content).
DELETE api/sso/user/ip-address HTTP/1.1 To log out the user at the given IP address.
In REST terms, the URI of a POST request specifies the collection (users) that it is adding to, and that of a DELETE
request identifies the specific user that is being deleted.
NOTE: A POST should not identify the user in the URI because that user does not exist until the POST has
been completed. The URI is being asked to identify a resource and logically can’t do that until the resource
exists.
REST also specifies that requests passing content should give the format of the content in the request’s
Content‐Type header. If the content type is not specified in a header, the default is to expect content in XML.
This API complies with this and accepts the following:
Content-Type: application/json
Content-Type: application/xml
In cases where the SonicWall firewall returns body content in its reply to the client (during the OPTIONS request,
for example) it uses XML or JSON per the request’s Accept header. If the header indicates that the client can
accept both, or if the header is not present, it uses the same type as was used in the request. It defaults to XML
if the request had no body content. A corresponding Content‐Type header is included in the reply.
User Login
Topics:
• Single Login
• Multiple Login
Single Login
A new login of a single user is indicated by:
POST api/sso/user HTTP/1.1
And the body content is:
JSON
{ "ip": "ip-address", "name": "user-name", "domain": "domain-name",
"type": "type-of-user", … }
XML
<user>
<ip>ip-address</ip>
<name>user-name</name>
<domain>domain-name</domain>
<type>type-of-user</type>
…
</user>
Refer to User Attributes for a list of the user attributes than can be posted with this.
Multiple Login
A notification of login of multiple users can be sent in a single request, with the same URI:
POST api/sso/user HTTP/1.1
The body content is:
JSON
[
{ "ip": "ip-address-1", "name": "user-name", "domain": "dom-name",
"type": "type-of-user", … },
XML
<users>
<user>
<ip>ip-address-1</ip>
<name>user-name</name>
<domain>domain-name</domain>
<type>type-of-user</type>
</user>
<user>
<ip>ip-address-2</ip>
<name>user-name</name>
<domain>domain-name</domain>
<type>type-of-user</type>
</user>
...
</users>
The content of each user entry is the same as above for a single user post. Posting in this format while
containing just one user entry is allowed.
User Logout
Topics:
• Single Logout
• Logout with an External IP Address
• Multiple Logout
Single Logout
A logout of a single user is indicated by:
DELETE api/sso/user/ip-address HTTP/1.1
No body content is needed, but passing some information in the body is supported. The information passed is
used only for logging purposes.
NOTE: The user is logged out whether or not any given name and/or domain match those of the logged in
user.
If any body content is present (all fields are options), it should follows this format:
XML
<user>
<name>user-name</name>
<domain>domain-name</name>
<reason>text</reason>
</user>
Refer to User Attributes for a definition of these user attributes. Any attributes other than those shown above
and as noted below are silently ignored.
Multiple Logout
A notification of multiple user logouts can be sent in a single request, denoted by this special URI:
DELETE api/sso/user/multi HTTP/1.1
And the body content is:
NOTE: Some debate whether body content should be sent with a DELETE request. It may not be possible
in all clients, and it is does not really conform with REST. This form of the request is supported for those
that can do so; other clients can send separate DELETE requests to log out multiple users.
JSON
[
{ "ip": "ip-address-1", "name": "user-name", "domain":
"domain-name", "reason": "text" },
{ "ip": "ip-address-2", "name": "user-name", "domain":
"domain-name", "reason": "text" }
]
User Attributes
The following user attributes are accepted in the user entry with a user login notification. Note that this API is
extensible and additional attributes may be added to in future.
Term Definition
ip, ipv4, ipv6 The IP address that the user will be sending traffic from (refer to IPv6
Support for more information).
name The user’s account name.
In the first form, where the IP version is not specified, the SonicWall firewall derives the version from the
content. By specifying the appropriate version, you can avoid the small overhead of having the firewall derive it.
Responses
On success the SonicWall will return an HTTP 200 OK response with an empty body. On failure the following
status codes from RFCs 7231and 4918 are returned:
Responses Definition
General:
207 Multi‐Status For failure of a multi‐user POST or DELETE (see below).
400 Bad Request The request content is not valid.
401 Unauthorized The request authenticator failed validation.
403 Forbidden Not using HTTPS (which is always required).
405 Method Not Allowed Something other than a POST, DELETE or OPTIONS was sent.
406 Not Acceptable: Data is to be returned but the request doesn’t accept either XML
or JSON.
415 Unsupported Media Type The content type is something other than XML or JSON.
500 Internal Server Error Failed to add or delete the user for some reason other than
below.
Specific to a POST request:
409 Conflict: Unable to replace an existing user. For example if the user name is
already in use when “Enforce login uniqueness” is enabled.
414 Request‐URI Too Long Something follows “user/sso” in the URI of a POST.
422 Unprocessable Entity Unable to log the user in for some other reason. For example if an
invalid user name (e.g. “admin”) is given.
503 Service Unavailable Too many users are concurrently logging in.
NOTE: This message is displayed when the server is unable to
handle the request due to a temporary overload. The overload
will likely be alleviated after some delay.
507 Insufficient Storage: User limit exceeded
When certain status codes are returned, HTTP headers and/or body content are included in the response in
accordance with RFC 7231. The response contains information about the error within the body content, if
present, and is formatted as follows:
JSON
{ "error ": "description of the error" }
XML
<info>
<error>description of the error</error>
</info>
The response codes for which this is present includes 400 Bad Request, 409 Conflict, 422 Unprocessable Entity,
503 Service Unavailable and 507 Insufficient Storage.
In certain rare cases, body content giving some informative message may be included with the 200 OK returned
on success. For example, in the reply to a POST, if the given user is already logged in, it returns 200 OK with a
message in the body reporting that. The format for this is:
JSON
{ "message": "some informative message" }
XML
<info>
<message>some informative message</message>
</info>
For a multi‐user POST or DELETE, a 200 OK status means that all users were added or deleted. If any user fails to
get added or deleted then 207 Multi‐Status is returned, and the XML or JSON in the body indicates the result for
each individual user as follows (confirming with RFC 4918 section 13). Each status‐string is an HTTP status line
string with a status code and reason phrase from the table above (for example, HTTP/1.1 404 Not Found).
JSON
"multistatus": [
{ "href": "api/sso/user/ip-address-1", " status": "status-string",
"error": "description" },
{ "href": "api/sso/user/ip-address-2", " status": "status-string",
"error": "description" }
]
XML
<multistatus>
<response>
Persistent Connections
The SSO API is configurable to allow persistent connections from an HTTP 1.1 client. When this is enabled for a
client (it is disabled by default), the client is able to keep connections open across multiple requests. Closing a
connection then becomes the responsibility of the client, which it can do. Or it can request the SonicWall
firewall to close the connection after completing a request by including a Connection: close header in the
request. If the Connection: close header is present, the SonicWall firewall closes an HTTP 1.1 connection after
returning its reply; otherwise, it does not.
This only works if the client is using HTTP 1.1. Using the HTTP 1.0 Connection: Keep‐Alive header for this is not
supported.
A connection is not kept open if the request is not authenticated. This is to avoid keeping connections open to a
possible malicious attacker.
If allowing persistent connections is not enabled, the SSO API operates in the traditional HTTP 1.0 way with a
separate connection for every HTTP request. The SonicWall firewall closes each connection after returning its
reply. Since HTTP 1.1 connections are persistent by default, if this is not enabled then all replies to HTTP 1.1
requests include the Connection: close header to notify the clients of this, in accordance with RFC 2616 section
14.10.
NOTE: If large numbers of clients send requests to a SonicWall firewall, you shouldn’t use persistent
connections to avoid over‐use of its limited file descriptors. If an API client sends requests to a large
number of SonicWall firewalls, it does not want to keep connections open to all of them. But in a case
where one client sends to a single SonicWall firewall or to a small number of them, and where large
numbers of requests are sent during peak times, using a persistent connection could be advantageous.
These two security requirements are addressed as follows, and as detailed in the following sections:
1. To validate the client’s identity, the host name or Ip address needs to be configured on the SonicWall
firewall. In addition, a valid client‐side certificate or using a shared secret (or both) should be required.
2. To validate the SonicWall’s identity by the client, if needed, you need to use a valid HTTPS certificate
on the SonicWall firewall. It can also be partially addressed by use of a shared secret (more details are
provided in the following sections).
IMPORTANT: If the priority is to guard against illicit access to potentially sensitive data through the
SonicWall firewall, the security recommendations in this chapter should be followed carefully.
SSL Certificates
The SonicWall firewall is configurable to require a valid certificate from the sender in the API requests. For this,
the certificate supplied by the client must be verifiable on the SonicWall firewall (that is, the relevant CA
certificate must be imported if not built‐in) and either its subject name must match the host name configured
for the client, or the host name must be given in its subject alternate names.
NOTE: If a client certificate is used, it must be a host certificate that is issued for the client’s host name, as
configured. That usually requires the client be configured by DNS name. A user certificate (one issued to a
user name) cannot be used in this situation.
IMPORTANT: The medium and low security levels are intended for testing or diagnostic purposes only.
They are not recommended for production use. High level of authentication should always be used where
security may be an issue.
This authentication mechanism utilizes the HTTP Authorization header field, formatted as follows:
Authorization: SNWL-API-Auth base64-coded-authenticator
NOTE: Using medium level security has no negotiation. If a client tries to use medium level to a SonicWall
firewall that is configured for high level with SHA512, it gets the response shown above. The SonicWall
firewall uses the authenticator length to differentiate SHA256 from SHA512 and so cannot distinguish
medium level from high with SHA256.
Authenticator Format
For the different security levels, the authenticator is calculated as described in the following sections. Fields are
transmitted from left to right (octet number 0 first) and bit numbering is from most to least significant; that is,
bit 0 is the most significant bit.
0 34 7 8 31 32 63
Flags Seq‐num Rqst‐nonce Hash
Where:
Flags A 4‐octet field of bit flags:
Bits 0‐30: Reserved; they must be set to zero.
Bit 31: Set to 1 if the client expect an authenticator in the reply; set
to 0 otherwise.
Seq‐num A 4‐octet sequence number used only when CSRF Prevention is enable;
otherwise it is ignored.
Rqst‐nonce A 24‐octet random number that should be separately generated by the client,
for each request.
Hash A 32‐octet number that is computed as a SHA256 hash of the following values:
The flags, seq‐num and rqst‐nonce fields.
The shared secret key.
The full request body content or the URI for a request with no
content.
0 31 32 63
Resp‐nonce Hash
Where:
Resp‐nonce A 32‐octet random number randomly generated by the firewall for each reply.
Hash A 32‐octet number that is computed as a SHA256 hash of the following values:
The 64‐octet authenticator from the request (not base‐64
encoded).
The 32‐octet resp‐nonce value.
The shared secret key.
You decide whether or not to validate the reply authenticator. Validating the reply authenticator on its own does
not guard against the possibility of sending requests to a malicious device impersonating the SonicWall firewall
since it is checked after‐the‐fact. Validation of it does at least generate warnings of potential issues. If protecting
the user names and locations from possible snooping is considered highly important then a certificate must be
used for that.
If you are not going to validate the reply authenticator, set the flag for requesting it to 0 to avoid having the
SonicWall firewall spend unnecessary overhead calculating it.
0 34 7 8 63 64 127
Flags Seq‐num Rqst‐nonce Hash
Where:
Flags A 4‐octet field of bit flags:
Bits 0‐30: Reserved; they must be set to zero.
Bit 31: Set to 1 if the client expect an authenticator in the reply; set
to 0 otherwise.
Seq‐num A 4‐octet sequence number used only when CSRF Prevention is enable;
otherwise it is ignored.
Rqst‐nonce A 56‐octet random number that should be separately generated by the client,
for each request.
Hash A 64‐octet number that is computed as a SHA512 hash of the following values:
The flags, seq‐num and rqst‐nonce fields.
0 63 64 127
Resp‐nonce Hash
Where:
Resp‐nonce A 64‐octet random number randomly generated by the firewall for each reply.
Hash A 64‐octet number that is computed as a SHA512 hash of the following values:
The 128‐octet authenticator from the request (not base‐64
encoded).
The 64‐octet resp‐nonce value.
The shared secret key.
You decide whether or not to validate the reply authenticator. Validating the reply authenticator on its own does
not guard against the possibility of sending requests to a malicious device impersonating the SonicWall firewall
since it is checked after‐the‐fact. Validation of it does at least generate warnings of potential issues. If protecting
the user names and locations from possible snooping is considered highly important then a certificate must be
used for that.
If you are not going to validate the reply authenticator, set the flag for requesting it to 0 to avoid having the
SonicWall firewall spend unnecessary overhead calculating it.
Where:
Rqst‐nonce A 24‐octet random number randomly generated that may be repeated across
multiple requests to the same authenticator in each.
Hash A 32‐octet number that is computed as a SHA256 hash of the following values:
The flags, seq‐num and rqst‐nonce fields.
The shared secret key.
CSRF Prevention
The authentication mechanism described previously avoids request replay by external snooping since HTTPS
helps prevents snooping. However, on its own, it is not 100% secure from malicious software that could get itself
installed on the API client’s host computer. Such malware could theoretically snoop the client’s requests before
the SSL encryption and then replay them directly from the client machine. This is known as Cross Site Request
Forgery (CSRF) and the technique for preventing it in a non‐session‐based situation such as this SSO API is
known as Synchronizer Token Pattern (STP).
To achieve STP for CSRF prevention, in addition to the mechanism already detailed above, you need to also
include a value that is unique to every request, including for a re‐send of the same request should that be
necessary. For this, use a sequence number in the request.
Using a sequence number is optional since it does add some complexity to operation of the API, adding in an
occasional handshake between the client and the SonicWall firewall. If it is enabled on the firewall, then it must
be used by the client (but not vice‐versa).
IMPORTANT: If the client that is sending requests over the SSO API consists of software or scripts that are
running on a computer that could potentially be at any risk of getting malware installed, then it is
recommended that CSRF prevention be enabled.
The API can be enabled either by clicking that icon, or by a checkbox in the SSO configuration dialog. To
configure the API and its clients click the CONFIGURE SSO button to open the SSO configuration dialog and
select the 3rd Party API tab:
The General Settings tab includes a checkbox to enable/disable the API, plus configuration of its HTTPS port
number with an option to use the same port as for HTTPS management:
NOTE: In larger installations where the SSO API could get very heavily used, you should dedicate a port
number since that could help avoid floods of requests on the API from interfering with web management.
If client certificates are used with the API, a dedicated port number must be used.
Note that the options to select Certificate or Both for authentication of the client is only available if a dedicated
HTTPS port number is used.
The Advanced tab has the options for overriding the default security level and for enabling CSRF prevention:
IMPORTANT: The medium and low security levels are intended for testing or diagnostic purposes only and
are not recommended for production use. High levels should always be used where security may be an
issue. If the client sending requests over the SSO API consists of software or scripts that are running on a
computer potentially at risk of getting malware installed, CSRF prevention should be enabled.
NOTE: This is rather loose ABNF and does not attempt to nail down the exact format of each component,
which can be seen from the XML and JSON content that follows. This ABNF definition is just trying to
clarify the structure of the data.
JSON
{
"methods": {
"POST": {
"description": "To notify of login of a user or multiple users",
"user": {
"description": "Specifies a single user",
"ip": { "type": "ip address", "required": true },
"name": { "type": "string", "required": true },
CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if instructions are not followed.
IMPORTANT, NOTE, TIP, MOBILE, or VIDEO: An information icon indicates supporting information.