Configuring single sign-on

You can configure single sign-on using both the management GUI and the command-line interface. Single sign-on delegates all authentication to a trusted Identity Provider (IdP).

With single sign-on, users need to provide their credentials once when they log in to an application or system, rather than repeatedly providing the credentials for every individual application or system. Each individual IBM® Storage Virtualize system is considered a separate application and must be added to the IdP. When single sign-on is enabled on the system, both first-factor and second-factor authentication are delegated to the IdP. For more information on supported single sign-on providers, see .

In the management GUI, users select Sign In with SSO on the log in prompt and are redirected to complete authentication through the configured IdP. You can configure the IdP to provide first factor authentication to your users. Several multifactor authentication cloud-based providers can be added to the single sign-on configuration to require additional user authentication if necessary. When authentication is completed successfully, the uses are redirected to management GUI.

Prerequisites

Ensure that the following prerequisite tasks are completed on the system before you configure single sign-on:
  1. Ensure that the system is updated to 8.5.0 or later release.
  2. Configure a DNS server. To create a DNS server, select Settings > Network > DNS. In the command-line interface, use the mkdnsserver command to define a DNS server.
  3. If your authentication server is outside of your private network, you must configure an HTTP proxy server or configure your firewall to access your authentication server.
    Note: If you plan to use a proxy server to access the Identity Provider, ensure that you select Yes on the Use proxy option when you configure single sign-on in the management GUI. If you are using the chauthsinglesignon command, ensure that you set the -proxy value to yes.
    To create an HTTP proxy server, Settings > Network > Internal Proxy Server. For more information, see HTTP proxy server. If your authentication server is within your private network, proxy or firewall changes are not required.
  4. For the management GUI, ensure that the inactivity logout is equal to or greater than the time it takes for a user to receive a one-time passcode (OTP) from the authentication service. The default value for the inactivity timeout is 30 minutes for the management GUI. To set the inactivity timeout in the management GUI, select Settings > Security > Inactivity Logout. To set the GUI inactivity timeout on the command-line interface, use the chsecurity -guitimeout command.

Choose an authentication provider

Configure single sign-on using a supported authentication provider. Once single sign-on has been configured, you must then decide which user groups should be enabled for single sign-on.