Enabling Premium SSO

Single Sign On is a technique in which your current Windows domain login to access Solar Archive, bypassing the login page.

In the SSO technique, passwords are not passed, instead your current windows user token is used for validation. A token is computed every time you log in to a Windows domain, and hence it cannot be cached and used again. This technique only works with NTLM or NTLMv2 tokens and it is designed to only work in Microsoft Domains.

Furthermore, to prevent man in the middle attacks, the user token includes a ‘source pc identifier’. To validate SSO, the Windows Domain Controller will check if the source of the validation request (Solar Archive) is the same as the source PC encoded into the token (the user’s PC). In order for this to work, Solar Archive server needs to be registered as a Computer in the Windows Users & Computers list.

Prerequisites to enable premium SSO

  • Create a COMPUTER account in the Active Directory Users and Computers.

  • Then use the script SetComputerPass.vbs to generate a password. To download the script, click the Download Script button in the Premium SSO options page.

Solar Archive will then be able to create an authenticated connection to your Domain Controller, over which secure SSO connections may be passed.

  1. Navigate to Adv. Configuration > SSO - Single Sign On.

  2. Enter / Select the required values in the fields. Refer to the table below for field names and descriptions. (Note: Hover your mouse on the field names for additional information and / or example values.)

  3. Click the Apply button to save the configuration.

  4. To test the SSO connection, click the SSO Connection Test.

  5. After saving this configuration, the web server needs to be restarted to ensure that SSO is being used. To do this, navigate to the Management > Restart > Restart WebServer.

  6. To review logs, click the Show Log button.

FieldDescription

Enable Premium SSO

Specifies whether or not premium SSO is enabled.

Your internal AD Domain

Company’s internal active directory domain. You can get this from the LDAP Base DN. It is typically like company.local or company.com

Computer Account Name

‘Computer’ account name added to Active Directory Users & Computers. If the ‘computer’ account name added to Active Directory Users and Computers is “CryoserverSSO” then this value will be CryoserverSSO$. Notice the required $ sign at the end. Active Directory adds this automatically when you create the account.

Computer Account password

Password of the computer account. To download the script to set a password, click the Download Script button in the Premium SSO options page.This will prompt you for the computer account name, and then lets you set a password. Enter that same password here.

DNS (optional)

IP address of an internal DNS server. SSO service will locate your PDC and any other DC’s via DNS. It will validate a user against any DC that it can contact. If Solar Archive has DNS correctly configured (so domain names resolve in other parts of Solar Archive configuration – like LDAP server names and Outbound Email and Alerts: email server) then leave this blank.

Site Name (Optional)

Active Directory sites and services site that the web server is in. Note: If your users are in a Forest of Domains, then enter the site name of the local tree of your domain. If your company is a single domain company, then you will not require this.

LDAP field to match domain

LDAP field that should be matched with the JCIFS obtained domain.

Last updated