Loading...

Setting Up IdP and SP CommCells for Multi-Web Console Single Sign-On (SSO)

Applies To: Web Consoles across multiple CommCell environments

To set up single sign-on for multiple Web Consoles, you must configure the participating CommCells as one of the following entities:

  • Identity Provider (IdP) - This CommCell stores and serves user identity metadata and generates Security Assertion Markup Language (SAML) tokens to authenticate users.
  • Service Provider (SP) - This CommCell offers services or resources and handles authorization.

Procedure

Registering a CommCell as the IdP and Generating IdP Metadata

  1. From the CommCell Console ribbon, click the Home tab, and then click Control Panel.
  2. Under CommCell, click Identity Management.
  3. On the Local Identity Management tab, select the Enable check box to register the CommCell as the IdP.

    The certificate that is generated is included in the IdP metadata and is used to sign all of the SAML tokens generated from this CommCell.

  4. Click Export to save the IdP metadata as an XML file.

    The IdP metadata is required as an input when configuring SP CommCells. Note the location of the XML file.

  5. Select the users and user groups for whom SAML tokens can be issued.
  6. From the Redirect URL list, select the Web Console through which the user accesses the IdP CommCell.
  7. Click OK.

Adding SP Web Console URLs to IdP Web Domains List

  1. In your web browser, open the Command Center for the IdP.
  2. From the left navigation pane, click Administration > System > Maintenance.
  3. On the Maintenance page, click the Web Domains tile, and then in the upper-right corner of the tile, click the edit button .
  4. In the Edit web domains list pane, add the following domains:
    • The Web Console URL of the IdP.
    • The Web Console URLs for each SP.

    Click Save.

  5. Restart the Tomcat service of the Web Console through which the user accesses the IdP CommCell (step 6 in the previous procedure, Registering a CommCell as the IdP and Generating IdP Metadata).

Configuring a CommCell as the SP

You must import the IdP metadata to each participating SP CommCell.

  1. From the CommCell Console ribbon, click the Home tab, and then click Control Panel.
  2. Under CommCell, click Identity Management.
  3. On the Identity Management tab, click Add, and select CommCell.
  4. On the Add CommCell Application Info window, specify the settings for the application:
    • On the General tab:
      1. Under Register New Identity Provider, click Browse.
      2. Browse to the location of the saved IdP metadata (XML file) obtained from the IdP CommCell, select the file, and click Import.

        The Redirect URL box is automatically populated with the URL from the IdP metadata.

      3. Select the Use redirect URL for SSO check box.
      4. Under Application Info, to enable the application, select the Enabled check box.

        The Display Name box is automatically populated with the application name.

    • On the Association tab, select the user and user groups who can be impersonated or mapped by the incoming token (IdP) users.

      Note: These are the users who can log on using SSO.

    • On the User Mappings tab, create a mapping:
      1. To create a new row, click the plus sign +.
      2. In the IDP User column, type an IdP user, and in the Mapped User, select a local user.

        Note: The IdP users must be entered manually and cannot be selected.

  5. Click OK.
  6. Restart the Tomcat service on the SP computer.

Repeat the procedure for each participating SP CommCell.

Result

When you access a SP Web Console and you are not logged on, enter your user name and tab off of the field to be redirected to the IdP Web Console to log on. If you are associated with multiple IdP CommCells, a list of the IdP CommCells is displayed so that you can choose where to validate your credentials.

After you log on, you are returned to the SP Web Console you first accessed, and you can access any SP Web Console without logging on again.

Note: Logging off of one Web Console logs you off of all of the SP Web Consoles.

Last modified: 7/11/2019 5:43:47 PM