SSO Enforced mode is the ideal mode for maximum security of Address Manager and the Address Manager API, but this mode has necessary restrictions on authentication and access. BlueCat recommends enabling SSO Enforced mode only when your Address Manager environment has been suitably updated for such strict security.
You cannot enable the SSO Enforced mode unless the following apply:
- You are an administrator
- You have configured the IdP metadata in Address Manager
- You have deleted external authenticators
- Only SSO groups exist in Address Manager
- Local non-admin users in Address Manager do not exist
- Users cannot log in to Address Manager using external authenticators (LDAP,TACACS, and Radius)
- BAM allows only one local user (GUI-only, SSO admin) for failover situation
- The IdP initiates the login session—the BAM login page redirects to the IdP login page
- API logins require a valid OAuth token
- Only SSO users can become a BAM administrator
- Only the SSO admin that enabled the SSO Enforced mode can disable this mode.
- Non-admin SSO users can't view the following pages in Address
- SSO Management
- API Access Management
- Non-admin SSO users can't create, read, update, or delete any local users
- Non-admin SSO users can't create, read, update, or delete any user groups that aren't SSO groups
- Any applications integrating with Address Manager have been configured for SSO
- BAM API clients or scripts are using OAuth 2.0
- In Address Manager, select the Administration tab.
- Under User Management, select Identity and Access Management.
- Select the SSO Enforcement tab.
- Under SSO Enforcement, select Enforce SSO.
- Click Update.