Requirements for configuring Single Sign-On and OAuth - Platform - BlueCat Gateway - 24.1

Gateway Administration Guide

Locale
English
Product name
BlueCat Gateway
Version
24.1

In Address Manager, there are two modes for SSO and OAuth integration: SSO Enabled and SSO Enforced.

SSO Enabled SSO Enforced
  • Users can log in to Address Manager using external authenticators such as LDAP, TACACS+, RADIUS, Microsoft Active Directory, and Kerberos.

  • Address Manager allows local users (GUI and API)

  • The Address Manager login page has two login options:

    • SSO login

    • Local login

  • Users cannot log in to Address Manager using external authenticators such as LDAP, TACACS+, RADIUS, Microsoft Active Directory, and Kerberos.

  • Address Manager allows only one local user (GUI-only, SSO admin) for the following:

    • SSO configuration

    • IdP configuration

    • DDI configuration

    • failover situations

  • The IdP initiates the login session. That is, the Address Manager login page redirects users to the IdP login page

  • API logins require a valid OAuth token

OAuth only: Within Address Manager, it is possible that only OAuth is enabled.

If SSO Enforced mode is enabled, or if only OAuth is enabled in Address Manager, you must configure both SSO and OAuth in BlueCat Gateway.

Table 1.
Configuring Single Sign-On and OAuth in BlueCat Gateway
Address Manager What to configure in BlueCat Gateway
SSO Enabled None
SSO Enforced SSO and OAuth
OAuth Only SSO and OAuth

Before you begin

To enable SSO, you need the following:
  • BlueCat Gateway v20.3.1 or greater

  • Address Manager v9.2.0 or greater

  • Port 443 must be open in both BlueCat Gateway and the Identity Provider (IdP).

  • BlueCat Gateway must be able to access the IdP, either on premises or cloud.

  • You must have configured OAuth settings in Address Manager.

    Important: Before configuring OAuth in BlueCat Gateway, make sure you complete the necessary prerequisites and configuration requirements in both the Authorization Server (Identity Provider) and Address Manager. For more details, see Enabling OAuth in Address Manager in the Address Manager Administration Guide.

What you need from BlueCat Gateway to set up your Single Sign-On connection

To set up the SSO connection, you need the following from BlueCat Gateway:

  • BlueCat Gateway domain name

  • BlueCat Gateway x509 Certificate (optional)

  • BlueCat Gateway Private key (optional)

    Note: The x509 certificate and private key of the HTTPS server are required only if you want to sign the certificate.

What BlueCat Gateway needs from your IdP

To set up the SSO connection, you need the following from your IdP:

  • IdP Metadata URL

    OR

    All of the following:

    • IdP Signing Certificate

    • IdP EntityID

    • IdP singleSignOnService URL

    • IdP singleSignOnService Binding

    • IdP singleLogoutService URL

    • IdP singleLogoutService Binding