Enable Single Sign-On (SSO) for end-users

The following steps are the general configuration steps to enable SSO functionality for end-users in SecureTransport.

  1. Navigate to Authentication > Login Settings.
  2. In End-users login options pane, select Required for SSO.
  3. Click Save.
Note When SSO for end-users is enabled, the following configuration options will be updated automatically:
  1. Http.FdxAuthReply with value PREAUTH.
  2. Http.AllowedAuthenticationParameters with value SAMLResponse;RelayState.
  3. AllowedAuthenticationParametersMaxSize with value 32768.

Configure Single Sign-On (SSO) for end-users

Before configuring SSO for end-users, refer to SecureTransport Single Sign-On (SSO) configuration prerequisites.

In order to configure SSO functionality for end-users, you need to update the sso-enduser.xml file and remember that SSO authenticated users are only mapped to existing SecureTransport user accounts or account templates with user classes. For additional information, refer to Create a user account, Account templates, and User classes.

Note Do not rename the sso-enduser.xml configuration file.

SecureTransport certifies Shibboleth, Keycloak as supported SAML-based Identity provider for end-users as well as Kerberos.

Note The following configuration steps describe the setup of the single Identity provider. For multiple Identity Provider configuration, refer to Multiple Identity Provider configuration.
Note Before configuring SSO for end-users using SAML-based Identity Provider or Kerberos, make sure that you configured them properly.

Configure SSO for End-users using SAML-based Identity provider:

  1. Download the SAML-based Identity provider metadata file from your Identity Provider instance.
  2. Note Do not modify the SAML-based Identity Provider metadata file.
  3. Open the sso-enduser.xml file. The following changes are required:
    • In the <SamlIdentityProvider> element, change the following attribute values:
      • metadataUrl to be ./(name of the SAML-based Identity provider metadata file)
      • entityId - add the <EntityDescriptor> element entityID attribute value, from the SAML-based Identity Provider metadata file.
    • <Mappings> element:
    • <Features> element: The recommended features are listed in Sample SSO configuration file for end-users.
  4. Save the sso-enduser.xml file.
  5. Zip the sso-enduser.xml and the SAML-based Identity Provider metadata file from Step 1.
  6. Note Do not put the configuration files in a sub-directory inside the ZIP file.
  7. Navigate to Operations > Server Configuration. Click on Configuration Files.
  8. Select the Browse button for SSO Configuration Files. Choose the ZIP file containing the sso-enduser.xml file and the SAML-based Identity Provider metadata file.
  9. Click on the check box for SSO Configuration Files.
  10. Click Upload.
  11. Restart the Transaction Manager service and the HTTP service.

Configure SSO for end-users using Kerberos:

  1. Configure Kerberos as an Identity provider. For the configuration with Kerberos as an Identity Provider, refer to Configure a Kerberos as an Identity Provider in SecureTransport.
  2. Open the sso-enduser.xml file. The following changes are required:
  3. In KerberosdentityProvider element change the following attribute values:
    • configurationUrl to be the absolute path to the Kerberos .conf file.
    • NoteThe Kerberos .conf file and .keytab file should be added to the SSO configuration ZIP file.
    • entityId - add the entityID attribute value
    • <Mappings> element:
    • <Features> element: The recommended features are listed in Sample SSO configuration file for end-users.
  4. Save the sso-enduser.xml file.
  5. Zip the sso-enduser.xml and all additional files (the Kerberos configuration file and the .keytab file).
  6. Note Do not put the configuration files in a sub-directory inside the ZIP file.
  7. Navigate to Operations > Server Configuration. Click on Configuration Files.
  8. Select the Browse button for SSO Configuration Files. Choose the ZIP file containing the sso-enduser.xml and the Keycloak/Shibboleth metadata file.
  9. Click on the check box for SSO Configuration Files.
  10. Click Upload.
  11. Restart the Transaction Manager service and the HTTP service.
Note If, for some reasons after importing SSO configuration files and enable SSO for end-users you still redirect to default SecureTransport end-users login page, perhaps there is some misconfiguration. To resolve this situation you can use SecureTransport as an Identity provider to login with the local stored credentials and troubleshoot. For more information, refer to SecureTransport as an Identity Provider.
Note In both Standard Cluster and Enterprise Cluster, after successfully importing the SSO Configuration files, they will be automatically redistributed across all nodes in the cluster. Restart operation is required of Transaction Manager service on all nodes.
Note SSO for end-users can be configured using only sso-enduser.xml file only for backend instance.
Note Due to the limitation of having only one Service Provider entity ID for the sso-enduser.xml configuration file and the fact that configuration files are synced between the cluster nodes, all end-users will have the same service provider configuration. Since the IdP cannot differentiate which request is coming from which node, it will always return the user to the assertion consumer service configured on the IdP. This could be worked around by having a separate IdP for each cluster node and the user could select the node they want to login to by choosing the dedicated IdP. For more information about how to configure multiple Identity Provider in SecureTransport, refer to Multiple Identity Provider configuration.

Single Sign-On (SSO) account configuration

For more information about how to configure SecureTransport accounts with SSO, refer to Manage accounts and Advanced account administration.

Related Links