Single sign-on prerequisites

Note: SSO server and smart card are only supported on Linux and Solaris.

For platforms that support SSO, you can choose to:

  • Install an SSO server with the server.

  • Use an existing SSO server, for example, an SSO-enabled SBM server installation.

  • Use smart card reader authentication software for use with remote Windows smart card client software and hardware.

After installation you must manually configure trusted certificate authorities. See Configure trusted certificate authorities.

For details about the SSO and smart card architecture, see the Administration Guide.

SSO authentication prerequisites

Remote Windows client with smart card reader

The following client side prerequisites are required for a remote windows client with smart card reader:

  • Smart card ActivClient 6.1 or later software. Configure the ActivClient client as described in the vendor documentation.

  • Each has a personal smart card.

  • A smart card reader is attached to the client system.

 Existing SSO server prerequisites

The following information is requested by the installer if you choose to use an existing UNIX SSO server with, or without a smart card reader:

Existing SSO Parameter

Description

Hostname

The host name of the existing SSO Server.

SSO Port

HTTP or HTTPS TCP port used by an existing SSO server. If the port is not https, the Secure (https) Connection option must not be selected.

Secure (https) Connection

Informs the installer that Secure Socket Layer (SSL) communication is required.

New SSO server prerequisites

The following information is requested by the installer if you choose to create a new UNIX SSO server. If you are installing for use with a remote smart card reader, you are first prompted for the following:

Smart Card Parameter

Description

Hostname

The host name of the Domain Controller (Active Directory) or the system that serves LDAP requests.

Port

TCP port (by default 389) for the new SSO server.

Bind User DN

The LDAP bind user DN (distinguished name) for the new SSO server. This is the user on the external LDAP server permitted to search the LDAP directory in the defined search base. Generally the bind DN is permitted to search the entire directory. The role of the bind DN is to query the directory using the LDAP query filter and search base for the DN for authenticating users. When the DN is returned, the DN and password are used for authentication.

Password

The LDAP password to be used to be used in conjunction with the bind user DN by the new smart card setup software.

Provide the following information on the SSO server:

SSO Parameter Required

Description

Hostname

The host name of the Domain Controller (Active Directory) or the system that serves LDAP requests.

If you are installing SSO with smart card reader, defaults to the same value you provided when setting up smart card support.

Port

TCP port (by default 389) for the new SSO server.

If you are installing SSO with smart card reader support, defaults to the same value you provided when setting up smart card support.

Base DN

The LDAP base DN for the new SSO server. The base DN is the top level in the LDAP directory tree below which the search for the user should be performed. Looks like this:

CN=Users,DC=your,DC=domain,DC=com

Search Filter

The LDAP search filter for the new SSO server. LDAP search filters include the attributes you are searching on and the value or range of values that you are trying to match. Search filters involve at least three components:

  • The attributes to search for, called the attribute data type.

  • The search filter operator that determines what to match, sometimes called the match operator.

  • The actual value of the attribute you are searching for.

Each search needs to have a minimum of one of each of the components. You can create compound search filters by connecting two or more search filters modules. They are enclosed in parentheses to clarify filter content, and include one or more of three compound search filter operators (AND, OR, NOT). You can add multiple compound and wildcard filters as long as you have the correct number of matching parentheses.

The actual search filter in the case of Microsoft Active Directory (Domain Controller) should look like:

(&(objectClass=user)(sAMAccountName={0}))

where {0} are substituted by the actual user name that is logging in.
Bind User DN The LDAP bind user DN for the new SSO server. If you are installing SSO with smart card reader support, defaults to the same value you provided when setting up smart card support.
Password The LDAP password to be used to be used in conjunction with the bind user DN by the new SSO server. If you are installing SSO with smart card reader support, defaults to the same value you provided when setting up smart card support.