Single Sign On (SSO)
Use the Single Sign On (SSO) feature to log on to the CommServe using user account credentials from the Active Directory (AD) service provider. Active Directory user accounts inherit the capabilities of the CommCell user group the AD group is associated with. The CommCell user group must include the Browse capability.
How Does It Work?
When the Single Sign On feature is enabled for a Active Directory domain, the logon screen is bypassed, and the user is authenticated without entering any logon credentials.
Users can cancel the SSO logon from the logon screen before applications, such as the CommCell Console and Web Console, initiate the logon process. When logon is cancelled, the username box is pre-populated along with the Active Directory domain on which they are currently logged on. Users also have the option to overwrite this username with other Active Directory user account credentials. The username must be entered in the following format: domain_name\user_name. When a username is entered with a domain name, the CommServe automatically recognizes that the password information must be authenticated by the external domain server.
Prior to enabling Single Sign On on a Name Server, note the following:
- Ensure that a Web Client package is installed on at least one of the clients in the domain.
- Single Sign On works only on Intranet based sites.
- The CommServe must be a member of an Active Directory domain in order to support Single Sign On logons. SSO logons are not supported if the CommServe is part of a workgroup.
In order to enable Single Sign On, add the external domain to the CommServe for authentication purposes. When adding the domain controller, provide the required information to communicate with the Active Directory service provider, such as domain name, hostname of directory server, directory service type, username and password.
Continue with the following section to add the domain controller and to enable SSO.
Review these important considerations before adding domain controllers:
- The CommServe must have LDAP, DNS, and Kerberos connectivity to each domain that you want to register for single sign-on. If firewalls exist between the CommServe and domain controllers, these services must be able to traverse the firewall in order for single sign-on to function.
- When using trusted domains, register both domains with the CommServe so that users from the trusted domains can log on using single sign-on.
- No two domain controllers can have the same domain name. Do not register duplicate domain controllers with the CommServe.
- Do not add a name server for a Windows 2000 domain controller, Windows 2000 domain controllers do not support the Security Descriptor Definition Language (SDDL) form of SID (security identifier).
- Obtain the domain name and fully qualified domain name of the Active Directory server.
- Ensure that LDAP is configured on the Active Directory (AD) server:
- From the AD Server, select Start > Run.
- In the Run dialog box, type ldp and click OK.
- From the Connections menu, click Connect.
- In the Connect dialog box, enter information about the server:
- In the Server box, type the name of the external domain server, e.g., computer.domain.com.
- In the Port box, type 636 as the port number for the external domain server.
- Select the SSL checkbox to check for the proper certificate.
- Click OK.
When the LDAP is properly configured, the external domain server details are displayed in the LDP window. Otherwise, an error message appears indicating that a connection cannot be made using this feature.
- From the CommCell Browser, go to Security.
- Right-click Name Servers > Add new domain > Active Directory.
- In the Add New Domain Controller dialog box, enter the information about the domain controller:
- In the NetBIOS Name box, enter the domain name, for example, mydomain.
- In the Domain Name box, enter the Fully Qualified Domain Name (FQDN), for example, mydomain.mycompany.com.
- To allow users to automatically log on to the CommCell Console, select the Enable SSO check box.
- Next to the User Account box, click Edit.
- In the Enter User Account Information dialog box, enter the user account information for the domain.
The user account must have at least read access to the domain.
- Click OK.
Once you have added the domain controller, associate certain external domain user groups (domain name\user group) with a user group defined in the CommServe. This will provide the external domain users access to the CommCell entities. Note that the CommCell user group must have Browse capabilities in order for the Single Sign On feature to work properly.
- The external user group for the user must have Group Scope defined as Global on the Active Directory Domain:
- Navigate to Start | Administrative Tools | Active Directory Users and Computers.
- Right-click the external group and select Properties.
- Select Global from Group Scope and click OK.
- From the CommCell Browser, navigate to Security | Name Server | <Domain Name>, right-click External Groups and select Add New Group.
- In the Add new External Group dialog box, click Browse next to the Select an External Group box.
- In the Select an external group dialog box, select the <external user group> the user belongs to.
- Click OK.
- From the Available CommCell Groups box, select the <CommCell user group> to associate with the external user group.
- Use the right arrow > to move the CommCell user group to the Associated CommCell Groups box.
- Click OK.
You can enable or disable SSO on domains that have been already configured in the CommCell. The following procedure enables SSO as an example: (to disable, simply clear the option)
- From the CommCell Browser, go to Security > Name Servers.
- Right click the domain and click Properties.
The Edit Domain Controller Details dialog box appears.
- Select the Enable SSO check box.
This allows users to automatically log on to the CommCell Console.
- Click OK.
If you enabled SSO to log on to the Compliance Search or Web Console, you must perform the additional steps described in SSO configuration procedure for:
The following table describes different scenarios where you can disable the Single Sign On feature or change user credentials.
|Disable Single Sign On for a Specific Console|| The following steps disables the Single Sign On feature for the console shortcut in your computer.
|Temporarily Disable Single Sign On|| The following steps allows the user to enter alternate logon information. The next time a user launches the application using the same application shortcut, it will once again use SSO.
|Add Another Target CommCell for Single Sign On|| The following steps adds another application shortcut with a different target CommCell:
|Change the Target CommCell for Single Sign On|| The following steps changes the target CommCell for the Single Sign On feature: