Address Manager SSO groups assign authorization to users in the SSO integration. When creating an SSO group, you can assign default access (view, change, add, or full access) and administrator rights to the group.
Important:
- BlueCat recommends creating at least one local Administrator group that includes at least one local administrative user to serve as the SSO admin. This is a recommended best practice for SSO as the SSO admin can log in to Address Manager to deal with any connectivity issues with the IdP or critical issues with DDI operations.
- The SSO admin requires the following:
- GUI and API access
- Local authentication
- Before creating SSO groups in Address Manager, ensure the group membership claims exist in your IdP. This allows mapping of access rights to users who first log in to Address Manager with their SSO credentials. Contact your IdP for more information.
- You need at least one SSO group to enable SSO.
A new SSO group is matched with a group membership claim in the IdP that contains the access rights of users. Once a user logs in with SSO credentials, that user is automatically added to the SSO users list in the SSO group based on the group membership claim. If you are setting up SSO after performing a new installation of Address Manager you must create SSO groups to enable SSO.
If you prefer to use either LDAP or
TACACS+ as an external authenticator, refer to the following:
>