Single Sign-on
Single Sign-on (SSO) authentication requires users to register their credentials only once when the user signs on to the application for the first time. The user information is stored at the Identity Provider (IdP) that manages the user credentials and determines whether the user is required to authenticate again or not.
SSO is a feature that delegates all authentication to a trusted Identity Provider (IdP). The applications are configured with the IdP. When the user logs in to the application, the IdP validates the registered information and enables the user to log in to the application. In this method, both the first and second factor authentications are delegated to a trusted Identity Provider, which is useful if you do not want IBM Storage Virtualize to do any of the authentications. Also, additional authentication factors can be configured to provide multifactor authentication for users.
IBM Storage Virtualize uses the OpenID Connect (OIDC) protocol to communicate with the SSO service when a user logs in to the GUI. SSO is supported only for web browsers. SSO can be used only to protect user login to the management GUI. The SSO feature is not supported for the command-line interface. To provide multifactor authentication for CLI access, the system must be integrated natively with IBM® Security Verify. For more information, refer to Multifactor authentication. The SSO service is only supported for remote users that are defined on a remote LDAP server, and does not support local users that are defined locally within the IBM Storage Virtualize system, including the superuser.
Remote users are users who are defined on a remote LDAP server. For remote users that authenticate with LDAP servers, install and configure IBM Security Verify Bridge for Directory Sync on your LDAP server, such as Windows Active Directory. IBM Security Verify Bridge for Directory Sync duplicates any users and groups that are defined on the source LDAP server into the Cloud Directory in IBM Security Verify. Any subsequent changes that are made to the source LDAP server are copied automatically to the Cloud Directory in IBM Security Verify. For more information, see IBM Security Verify Bridge for Directory Sync in the IBM Security Verify documentation.
To protect CLI access for local users or remote users with SSO, local and remote user groups can be configured with the password and SSH key authentication method, which requires users to authenticate with both a password and an SSH key when a user logs in through the CLI.
When SSO is configured and enabled for the user groups, the GUI displays a new Sign In with SSO option on the login window. The user is redirected to do the authentication with the configured SSO service. When the authentication is successful using SSO, the user does not have to reauthenticate on subsequent login attempts.
MFA versus SSO
| Multifactor Authentication | Single Sign-on | |
|---|---|---|
| First factor handled by | IBM Storage Virtualize | Identity Provider (IdP) |
| Second factor handled by | Multifactor authentication service (IBM Security Verify) | Identity Provider (IdP) |
| CLI login support | Yes | No |
| GUI login support | Yes | Yes |
| Local user support | Yes | No |
| Remote user support | Yes | Yes |
| Supported services | IBM Security Verify | Microsoft Active Directory Federation Services |
| Protocol | OpenID Connect (OIDC) | OpenID Connect (OIDC) |
LDAP versus SSO
LDAP (Lightweight Directory Access Protocol) or Single Sign-on (SSO) can be configured for authenticating remote users when a user logs in to the system. However, it's important to understand the key differences and limitations of each authentication method. The following table summarizes the difference and limitations of both the authentication methods and enables a user to select a method based on their needs.
| LDAP authentication | Single Sign-on | |
| First factor handled by | LDAP server | Identity Provider (IdP) |
| Second factor handled by | NA | Identity Provider (IdP) |
| CLI login support | Yes | No |
| GUI login support | Yes | Yes |
| Local user support | No | No |
| Remote user support | Yes | Yes |
| Supported services |
|
Microsoft Active Directory Federation Services |
| Protocol | LDAP | OpenID Connect (OIDC) |