guides:sso:openinsight_single_sign_on_sso

OpenInsight Single Sign-On (SSO)

OpenInsight Single Sign-On (SSO) allows OpenInsight users and system administrators to simplify their OI security and administrative tasks. By configuring SSO, OpenInsight users can be authenticated via traditional OpenInsight methods, via Windows security, or via a combination of both.

To enable SSO, administrators must create or modify a record in the SYSENV table named CFG_LOGIN, or an application-specific record named CFG_LOGIN*<appname> (ie, CFG_LOGIN*EXAMPLES) to configure SSO for the specific application. The layout of the CFG_LOGIN and CFG_LOGIN*<appname> records is:

ID: CFG_LOGIN (global) or CFG_LOGIN*<appname> (for a specific application)

1. SSO flag

2. Normal groups] (for SSO flag = 2 only)

3. Admin groups] (for SSO flag = 2 only)

4. System Admin groups] (for SSO flag = 2 only)

5. Validation Mode (for SSO flag = 2 only)

If the SSO flag is set to 0 in the CFG_LOGIN*<appname> record, or in the CFG_LOGIN record if no CFG_LOGIN*<appname> record is found (or if neither CFG_LOGIN*<appname> nor CFG_LOGIN record is found), OpenInsight operates in "legacy" mode, continuing to use its existing (legacy) methods for authentication and validation. Usernames and passwords, either entered in response to OpenInsight prompts or passed via command-line parameters, will be checked against OI system records, and the user will either be admitted or denied admittance depending on the entered information.

If the SSO flag is set to 1 in the CFG_LOGIN*<appname> record, or in CFG_LOGIN if no CFG_LOGIN*<appname> record is found, OpenInsight operates in "hybrid SSO" mode. No username or password is required for entry (either systemwide if CFG_LOGIN record is used, or in the particular application if CFG_LOGIN*<appname> is used), so long as the username (as logged into Windows) is found in the OpenInsight system records. Administrators must, therefore, continue to create OpenInsight user entries for all valid OpenInsight users, defining which permissions level (normal, admin, or system admin) they should be granted. Hybrid SSO operation is provided mostly as a convenience to users, who need not specify their username and password to enter OpenInsight. If the OpenInsight user is not set as an administrator then an Application Entry Point must be set for the application.

If the SSO flag is set to 2 in the CFG_LOGIN*<appname> record, or in CFG_LOGIN if no CFG_LOGIN*<appname> record is found, OpenInsight operates in "strict SSO" mode. No username or password is required for entry (either systemwide if CFG_LOGIN record is used, or in the particular application if CFG_LOGIN*<appname> is used), so long as the user (as logged into Windows) belongs to one of the Windows groups defined in fields 2, 3, or 4. In strict SSO mode, the administrator is not required to enter the user into OpenInsight's system records; they need only ensure that the Windows user is a member of the appropriate group. If the Windows user is a member of any of the groups listed in field 4 (@VM delimited), they are admitted into OpenInsight with System Administrator privileges; if the user is a member of any of the groups listed in field 3 (@VM delimited), they are admitted with Administrator privileges; if the user is a member of any of the groups listed in field 2 (@VM delimited), they are admitted with normal privileges. Note that a user will be admitted with the highest privilege that can be found in any of the groups he or she is a member of.

NOTE: In versions of OpenInsight prior to 10.2.2, if the user has an entry in the OI legacy system records, they will be admitted with the privileges found in the OI system (similar to "hybrid SSO" mode). In version 10.2.2+, this has been changed so that the LDAP group membership will be used even if the user exists in the OI legacy users list.

If the SSO flag is set to 2, field 5 controls how the group information is obtained. If set to 0 (the default), then OpenInsight will communicate with the local LDAP server on the network (such as the Active Directory server) to get group information. If set to 1, then OpenInsight will first communicate with the LDAP server if possible, and then query the local Windows system for the local group information as well. If set to -1, then OpenInsight will only query the local Windows system for the local groups. Note that operating in mode “0” requires an LDAP server on the network.

When operating in strict SSO mode, OpenInsight provides a "legacy override" function; when logging in to the SYSPROG application, if the user is NOT a member of any of the specified groups, they will be prompted for their username and password (as though CFG_LOGIN was set to legacy mode). This provides for the possibility that the user groups have been incorrectly specified, for example, preventing the system from becoming inoperable.

sso_001.jpg

From the OpenInsight 10 IDE, go to Consoles, Management Console. Log into the Management Console and go to System Configuration, Configuration Records. Choose the LOGIN configuration record and select the application you want to apply Single Sign On to.

From this form you can manage the SYSEN CFG_LOGIN*APPLICATION record for Single Sign On options.

Examples

Examples

  • guides/sso/openinsight_single_sign_on_sso.txt
  • Last modified: 2024/10/14 14:54
  • by bshumsky