Single Sign On (SSO)

Table of Contents

Overview

Use the Single Sign On (SSO) feature to log on to the CommServe using user account credentials from the Active Directory (AD) service provider. Active Directory user accounts inherit the capabilities of the CommCell user group the AD group is associated with. The CommCell user group must include the Browse capability.

How Does It Work?

When the Single Sign On feature is enabled for a Active Directory domain, the logon screen is bypassed, and the user is authenticated without entering any logon credentials.

Users can cancel the SSO logon from the logon screen before applications, such as the CommCell Console and Web Console, initiate the logon process. When logon is cancelled, the username box is pre-populated along with the Active Directory domain on which they are currently logged on. Users also have the option to overwrite this username with other Active Directory user account credentials. The username must be entered in the following format: domain_name\user_name. When a username is entered with a domain name, the CommServe automatically recognizes that the password information must be authenticated by the external domain server.

Prerequisites

Prior to enabling Single Sign On on a Name Server, note the following:

  • Ensure that a Web Client package is installed on at least one of the clients in the domain.
  • Single Sign On works only on Intranet based sites.
  • The CommServe must be a member of an Active Directory domain in order to support Single Sign On logons. SSO logons are not supported if the CommServe is part of a workgroup.

Get Started

In order to enable Single Sign On, add the external domain to the CommServe for authentication purposes. When adding the domain controller, provide the required information to communicate with the Active Directory service provider, such as domain name, hostname of directory server, directory service type, username and password.

Continue with the following section to add the domain controller and to enable SSO.

Add Domain Controllers for Single Sign-On

If you are configuring Single Sign On for Compliance Search or Web Console, use the procedure described in the following links as it includes additional required configurations:

Review these important considerations before adding domain controllers:

  • The CommServe must have LDAP, DNS, and Kerberos connectivity to each domain that you want to register for single sign-on. If firewalls exist between the CommServe and domain controllers, these services must be able to traverse the firewall in order for single sign-on to function.
  • When using trusted domains, register both domains with the CommServe so that users from the trusted domains can log on using single sign-on.
  • No two domain controllers can have the same domain name. Do not register duplicate domain controllers with the CommServe.
  • Do not add a name server for a Windows 2000 domain controller, Windows 2000 domain controllers do not support the Security Descriptor Definition Language (SDDL) form of SID (security identifier).

Procedure

  1. Obtain the domain name and fully qualified domain name of the Active Directory server.
  2. Ensure that LDAP is configured on the Active Directory (AD) server:
    1. From the AD Server, select Start > Run.
    2. In the Run dialog box, type ldp and click OK.
    3. From the Connections menu, click Connect.
    4. In the Connect dialog box, enter information about the server:
      • In the Server box, type the name of the external domain server, e.g., computer.domain.com.
      • In the Port box, type 636 as the port number for the external domain server.
      • Select the SSL checkbox to check for the proper certificate.
      • Click OK.

      When the LDAP is properly configured, the external domain server details are displayed in the LDP window. Otherwise, an error message appears indicating that a connection cannot be made using this feature.

  3. From the CommCell Browser, go to Security.
  4. Right-click Name Servers > Add new domain > Active Directory.
  5. In the Add New Domain Controller dialog box, enter the information about the domain controller:
    1. In the NetBIOS Name box, enter the domain name, for example, mydomain.
    2. In the Domain Name box, enter the Fully Qualified Domain Name (FQDN), for example, mydomain.mycompany.com.
    3. To allow users to automatically log on to the CommCell Console, select the Enable SSO check box.
    4. Next to the User Account box, click Edit.
    5. In the Enter User Account Information dialog box, enter the user account information for the domain.

      The user account must have at least read access to the domain.

  6. Click OK.

Add a New External Group

Once you have added the domain controller, associate certain external domain user groups (domain name\user group) with a user group defined in the CommServe. This will provide the external domain users access to the CommCell entities. Note that the CommCell user group must have Browse capabilities in order for the Single Sign On feature to work properly.

  1. The external user group for the user must have Group Scope defined as Global on the Active Directory Domain:
    1. Navigate to Start | Administrative Tools | Active Directory Users and Computers.
    2. Right-click the external group and select Properties.
    3. Select Global from Group Scope and click OK.

  2. From the CommCell Browser, navigate to Security | Name Server | <Domain Name>, right-click External Groups and select Add New Group.
  3. In the Add new External Group dialog box, click Browse next to the Select an External Group box.

  4. In the Select an external group dialog box, select the <external user group> the user belongs to.
  5. Click OK.
  6. From the Available CommCell Groups box, select the <CommCell user group> to associate with the external user group.
  7. Use the right arrow > to move the CommCell user group to the Associated CommCell Groups box.
  8. Click OK.

Enable or Disable Single Sign On

You can enable or disable SSO on domains that have been already configured in the CommCell. The following procedure enables SSO as an example: (to disable, simply clear the option)

  1. From the CommCell Browser, go to Security > Name Servers.
  2. Right click the domain and click Properties.

    The Edit Domain Controller Details dialog box appears.

  3. Select the Enable SSO check box.

    This allows users to automatically log on to the CommCell Console.

  4. Click OK.

If you enabled SSO to log on to the Compliance Search or Web Console, you must perform the additional steps described in SSO configuration procedure for:

Scenarios for Disabling SSO

The following table describes different scenarios where you can disable the Single Sign On feature or change user credentials.

Scenario Description
Disable Single Sign On for a Specific Console The following steps disables the Single Sign On feature for the console shortcut in your computer.
  1. Right-click on the application icon, and select Properties.
  2. From the Console Properties dialog box, select the Shortcut tab.
  3. In the Target field, add the following command -sso=disabled, and click OK. When launching the application from this application icon, the Single Sign On feature will be disabled, and users can enter alternate logon information.

    To re-enable the feature, simply remove the -sso=disabled command.

Temporarily Disable Single Sign On The following steps allows the user to enter alternate logon information. The next time a user launches the application using the same application shortcut, it will once again use SSO.
  1. Launch the console application using the application icon.
  2. When prompted with the Connect to CommCell logon box, click Cancel. This will allow users to enter different logon credentials.
Add Another Target CommCell for Single Sign On The following steps adds another application shortcut with a different target CommCell:
  1. Create another application shortcut.
    • Right-click on current application icon.
    • Select Create Shortcut.
  2. Right-click on the new application shortcut, and select Properties.
  3. From the Console Properties dialog box, select the Shortcut tab.
  4. In the Target field, change the name of the CommServe, and click OK.

    When the new application shortcut is used to launch application, it will automatically access the new CommCell.

Change the Target CommCell for Single Sign On The following steps changes the target CommCell for the Single Sign On feature:
  1. Right-click on the application shortcut, and select Properties.
  2. From the Console Properties dialog box, select the Shortcut tab.
  3. In the Target field, change the name of the CommServe, and click OK.

    When the application shortcut is used to launch application, it will automatically access the new CommCell.