2.12 Configuring Single Sign-On

Identity Manager uses single sign-on to provide authentication between the User Application, Identity Manager Home, and the Identity Manager Provisioning Dashboard.

NOTE:

  • You must configure single sign-on to use Identity Manager Home and the Provisioning Dashboard.

  • After you configure and enable single sign-on in your environment, users can no longer access the User Application as a guest or anonymous user. Users are instead prompted to log into the user interface.

  1. Start your JBoss server.

  2. Create the certificates and keys necessary for single sign-on. For information about creating certificates and keys for single sign-on, see Creating the Certificates, in the User Application: Administration Guide.

    NOTE:This procedure assumes your environment will utilize one certificate for eDirectory, the SSO controller, and the OAuth Provider. If your company requires additional layers of separation, create a separate certificate for the OAuth Provider.

  3. Configure your eDirectory installation for single sign-on. For information about configuring eDirectory for single sign-on, see Configuring eDirectory, in the User Application: Administration Guide.

    NOTE:If you previously extended the eDirectory schema to include the SAML schema and installed the required NMAS methods, as described in Updating and Configuring the Identity Vault, you do not need to perform those steps a second time. Instead, skip to the subsection about creating the Trusted Root Container.

  4. Use a Web browser to access your User Application server, logging in as the User Application administrator.

  5. Configure the SSO controller. For information about configuring the SSO controller, see Configuring the SSO Controller, in the User Application: Administration Guide.

    IMPORTANT:Do not restart the application server as instructed in the User Application: Administration Guide.

  6. To verify you have configured the SSL Controller correctly, look for the following entry in the server.log file:

    INFO [AuthTokenGenerator] [RBPM] SSO Framework is enabled

  7. On the User Application Single Sign On (SSO) page, verify that the SSO Providers list includes the OAuth provider.

  8. Confirm Enable Single Sign On (SSO) To User Application is selected, then select OAuth.

  9. In the Expiration Interval field, specify the number of seconds Identity Manager keeps the OAuth SSO header alive. For example, you could specify 300 seconds as the expiration interval.

  10. Select Distinguished Name.

  11. (Conditional) If not already configured, specify the signing certificate and signing key and provide the signing key password.

    NOTE:The signing key should be a PKCS8 format key.

  12. Select Save.

  13. Select the checkbox for the OAuth provider and select Enable, then click Enable to confirm.

  14. Verify that the SSO Providers list displays a green check in the Status column for the OAuth provider.

  15. Close your browser without logging out of the User Application.

  16. Stop your JBoss server.