Single Sign-On - BlueCat Integrity - 9.3.0

Address Manager Administration Guide

Locale
English
Product name
BlueCat Integrity
Version
9.3.0

Address Manager supports Single Sign-On (SSO) via SAML 2.0 and acts as a Service Provider (SP) for SSO. In the SSO integration, users have the following login options with Address Manager:

  • Log in directly to Address Manager (SP-initiated SSO)
  • Log in through the IdP (IdP-initiated SSO)
Note: Supported IdPs
SSO functionality in Address Manager has been tested on the following IdPs:
  • ADFS (Active Directory Federated Services)
  • OneLogin

If your organization is using a different IdP than those supported by Address Manager, you can still use the IdP as long as it adheres to the SAML 2.0 specification. For more information, refer to your IdP's documentation on how to configure a service provider.

Note: Currently, Address Manager supports only a single IdP; multiple IdPs are not supported.

SSO with Okta identity providers is supported only through SAML 2.0. Okta OAuth 2.0 (with OpenID Connect) is not supported at this time.

Address Manager does not support SP-initiated single logout (SLO) at this time.

SP-initated SSO

In SP-initiated SSO, log in to Address Manager directly using your company's SSO credentials. When you log in through Address Manager, Address Manager sends an authentication request to the IdP. The IdP validates your credentials and once validation is successful, the IdP generates a SAML token. The IdP redirects the SAML token to Address Manager and allows access.

The diagram below illustrates the SP-initiated SSO authentication process:

IdP-initiated SSO

In IdP-initiated SSO, log in through the IdP login page using your company's SSO credentials. When you log in through the IdP login page, the IdP validates your credentials and once validation is successful, the IdP generates a SAML token. The IdP now redirects you to Address Manager.

The diagram below illustrates the IdP-initiated SSO authentication process:

SSO Modes

There are two modes for SSO in Address Manager:
SSO Enabled SSO Enforced
  • Users can log in to Address Manager using external authenticators such as LDAP, TACACS+, RADIUS, Microsoft Active Directory, and Kerberos.
  • Address Manager allows local users (GUI and API)
  • The Address Manager login page has two login options:
    • SSO login
    • Local login
  • Users cannot log in to Address Manager using external authenticators such as LDAP, TACACS+, RADIUS, Microsoft Active Directory, and Kerberos.
  • Address Manager allows only one local user (GUI-only, SSO admin) for the following:
    • SSO configuration
    • IdP configuration
    • DDI configuration
    • failover situations
  • The IdP initiates the login session—the Address Manager login page redirects to the IdP login page
  • API logins require a valid OAuth token
You can select either of these two modes when configuring SSO. The SSO Enabled mode is activated once you configure Address Manager as a service provider and the IdP metadata. For more information on configuring Address Manager as a service provider and configuring the IdP metadata, refer to Configuring Address Manager as a Service Provider and Configuring the IdP metadata and Enabling the SSO connection. You can activate the SSO Enforced mode in the SSO Enforcement tab in Address Manager. For more information, refer to Enabling SSO Enforced Mode.
Attention: Time synchronization between Address Manager and the IdP

During SSO authentication, the IdP generates access tokens. Any clock discrepancy between Address Manager and the IdP could cause a disagreement over the token expiration time, leading to authentication errors. BlueCat recommends using NTP to synchronize Address Manager and the IdP.