Configuring Single Sign-On and OAuth - Platform - BlueCat Gateway - 20.12.1

Gateway Administration Guide

prodname
BlueCat Gateway
version_custom
20.12.1

In Address Manager, there are two modes for SSO and OAuth integration: SSO Enabled and SSO Enforced.

SSO Enabled SSO Enforced
  • Users can log in to Address Manager using external authenticators such as LDAP, TACACS+, RADIUS, Microsoft Active Directory, and Kerberos.
  • Address Manager allows local users (GUI and API)
  • The Address Manager login page has two login options:
    • SSO login
    • Local login
  • Users cannot log in to Address Manager using external authenticators such as LDAP, TACACS+, RADIUS, Microsoft Active Directory, and Kerberos.
  • Address Manager allows only one local user (GUI-only, SSO admin) for the following:
    • SSO configuration
    • IdP configuration
    • DDI configuration
    • failover situations
  • The IdP initiates the login session—the Address Manager login page redirects to the IdP login page
  • API logins require a valid OAuth token

Address Manager also has an option where only OAuth is enabled.

If the SSO Enforced mode is enabled, or if only OAuth is enabled in Address Manager, you must configure both SSO and OAuth in BlueCat Gateway.

Table.
Configuring Single Sign-On and OAuth in BlueCat Gateway
Address Manager What to configure in BlueCat Gateway
SSO Enabled None
SSO Enforced SSO and OAuth
OAuth Only SSO and OAuth

Before you begin

To enable SSO, you need the following:
  • BlueCat Gateway v20.3.1 or greater
  • Address Manager v9.2.0 or greater
  • Open port 443 in BlueCat Gateway and the IdP
  • BlueCat Gateway can access the IdP either on premises or cloud
  • You have configured the OAuth settings in Address Manager
    Important: Prior to configuring OAuth in BlueCat Gateway, make sure you have completed the necessary prerequisites and configuration requirements in the Authorization Server and Address Manager. For more information, refer to "Enabling OAuth in Address Manager" in the Address Manager Administration Guide.

What you need from BlueCat Gateway to set up your Single Sign-On connection

To set up the SSO connection, you need the following from BlueCat Gateway:
  • BlueCat Gateway domain name
  • BlueCat Gateway x509 Certificate (optional)
  • BlueCat Gateway Private key (optional)
    Note: The x509 certificate and private key of the HTTPS server are only required if you want to sign the certificate.

What BlueCat Gateway needs from your IdP

To set up the SSO connection, you need the following from your IdP:
  • IdP Metadata URL

    OR

  • IdP Signing Certificate
  • IdP EntityID
  • IdP singleSignOnService URL
  • IdP singleSignOnService Binding
  • IdP singleLogoutService URL
  • IdP singleLogoutService Binding