cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSO using X.509

Go to solution
Former Member

on ‎05-26-2015 8:10 PM

0 Kudos

Hey Experts!

We are on 7.0.6.114.  We currently make our users authenticate with user/pass via an HTTP (non secure) URL to CDT and I'd like to look into SSO.  I have in the past but could never get any good documentation that was clear.

There's lots of good stuff out there now!  I've done the following research:

1. read NOTE 1841895

2. Reviewed guides for "security", "installation", "workstation" and "advanced training guide P1".

Great, great info in there!

So, that being said, also know this about us:

1. our users log into our MS AD before launching into CDT.

2. The user names in AD match the user name given for CDT.

3. Our MS AD system is setup to put a X.509 cert in the browser for all users once they log into AD.

4. That X.509 cert is internally signed by our internal CA, and that CA is loaded in all the browsers of our end-users too.

5. Our user IDs example, someone like "John Smith" would be "smithj".

6. But the X.509 cert is setup so that "CN = John Smith"....NOT CN=smithj !!!!

So knowing all that, how far away are we from at least getting SSO to be close to working?  I think at the very least I need to enable the HTTPs port and get folks to start using that, instead of HTTP.  right?

But my big issue is how big a deal is it that our X.509 certs on each user's PC is "CN = John Smith" when the login ID is smithj ?

would that work or would I need to go back to my AD guys and get them to gen certs that have CN=username ?

Thanks!

NICK


Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member250653
Participant
‎05-27-2015 8:05 AM
0 Kudos

Hi Nick,

the agents don't need to use https for using SSO. That's another thing. They can still enter CDT by using http.

You need to do a mapping between agent and CN (by default) of certificate.

In SC at every agent => Certificates => fill in Subject (in your case: "John Smith") and Issuer

In IA => VU => Connection Server => Client Certificate's Attribute Used for Authentication you can define on which Attribute it should look. As said before, by default it is CN.

Directly above this setting you need to check "Use Client Certificate (CoS) for Client Authentication" and if you like "Client Certificate is Mandatory".

This should do the trick for you.

BR,

Thomas

Show replies
Show replies
former_member187604
Contributor
‎05-27-2015 10:21 AM
0 Kudos 


the agents don't need to use https for using SSO. That's another thing. They can still enter CDT by using http.

However, if you want to use SSO also for the monitoring UI, HTTPS is needed. That is explained in the referred advanced training guide p1, and touched earlier e.g. in .

BR
-Lasse-

Former Member
‎05-27-2015 3:15 PM
0 Kudos

Thanks Thomas.  We'll try it and let you all know how it goes.

NICK

Former Member
‎05-27-2015 3:15 PM
0 Kudos

Thanks for your input Lasse

Answers (1)

Answers (1)

Former Member
‎05-27-2015 9:48 AM
0 Kudos

Hi,

Just wanted to add that you can also create import job to bring certificate subject and issuer from your AD into the system. You need to add AD mapping for those fields in System tools / import and export settings / Active Directory Mapping. Check out also Defining Active Directory import from SC application help.

Cheers

-Ville

Show replies
Show replies
Former Member
‎05-27-2015 3:16 PM
0 Kudos

Hey Ville, I really appreciate the prompt response.  That is good to know and we might try that!

Ask a Question