Share this page
SSO and smart card authentication
Support for Single Sign On (SSO) authentication is optionally available on certain Dimensions CM platforms by editing various configuration files post-installation. For details, see the Administration Guide.
-
Install an SSO server with the server.
-
Use an existing SSO server, for example, an SSO-enabled SBM server installation.
-
Configure smart card reader server-side software.
The OpenText Dimensions CM installer performs most of the configuration, however, you do need to enter SSO values, see below for details.
The installer configures CM to work with SSO and smart cards apart from trusted certificate authorities that you configure manually. For details, see Configure trusted certificate authorities.
Note: We recommend installing an SSO server and smart card at the same time that you install the server to take advantage of the automatic configuration.
Existing SSO server prerequisites
The following information is requested by the installer if you choose to use an existing local or remote SSO server:
|
Existing SSO Parameter |
Description |
|---|---|
|
Hostname |
The host name of the existing SSO Server. |
|
SSO Port |
HTTP or HTTPS TCP port used by an existing SSO server. If the port is not https, the Secure (https) Connection option must not be selected. |
|
Secure (https) Connection |
Default: not selected. Select if Secure Socket Layer (SSL) communication is required. |
You can download the SBM software and documentation from the Support website. To enable an SBM server for SSO, see the SBM Installation and Configuration Guide.
Smart card prerequisites
The following information is requested by the installer when you configure smart card authentication for the first time in Light Directory Access Protocol (LDAP) authentication method:
| Smart Card Parameter | Description |
|---|---|
| Hostname | Either the host name of the Domain Controller (Active Directory) or the machine that serves LDAP requests. It is usually the former. |
| Port | TCP port (by default 389) to be used by the new SSO server. |
| Bind User DN |
The LDAP bind user distinguished name (DN) to be used for smart card configuration. The bind user DN is the user on the external LDAP server permitted to search the LDAP directory within the defined search base. Most of the time, the bind DN is permitted to search the entire directory. The role of the bind DN is to query the directory using the LDAP query filter and search base for the DN (distinguished name) for authenticating users. When the DN is returned, the DN and password are used for authentication. |
| Password | The LDAP password to be used in conjunction with the bind user DN by the new smart card setup software. |
New SSO server prerequisites
The following information is requested by the installer if you choose to create a new local or remote SSO server:
Native Windows Authentication (NTLM) authentication method:
|
SSO Parameter Required |
Description |
|---|---|
| Hostname | Host name on which to install the new SSO server. |
| Domain | The server domain in which the Windows users reside. |
Lightweight Directory Access Protocol (LDAP) authentication method:
| SSO Parameter | Description |
|---|---|
|
Hostname |
Either the host name of the Domain Controller (Active Directory) or the machine that serves LDAP requests (typically the domain controller). |
|
Port |
TCP port (by default 389) for the new SSO server. |
|
Base DN |
The LDAP base DN for the new SSO server. The base DN is the top level in the LDAP directory tree below which the search for the user should be performed. Looks like this:
|
|
Search Filter |
The LDAP search filter for the new SSO server. The installer pre-populates with a default search filter. LDAP search filters function within a framework. The framework includes what attributes you are searching on and the value, or range of values, that you are trying to match. Each search filter involves at a least three components:
Each search needs to have a minimum of one of each of the components. You can create compound search filters by connecting two or more search filters modules. They are enclosed in parentheses to clarify filter content, and include one or more of three compound search filter operators (AND, OR, NOT). You can add multiple compound and wildcard filters as long as you have the correct number of matching parentheses. The actual search filter in the case of Microsoft Active Directory (Domain Controller) should look like:
where {0} are substituted by the actual user name that is logging in. See the LDAP RFC 4515 documentation for more information about LDAP search filters and a mechanism for representing them as strings. |
| Bind User DN |
The LDAP bind user DN for the new SSO server. The bind user DN is the user on the external LDAP server permitted to search the LDAP directory within the defined search base. Most of the time the bind DN is permitted to search the entire directory. The role of the bind DN is to query the directory using the LDAP query filter and search base for the DN for authenticating users. When the DN is returned, the DN and password are used for authentication. |
| Password |
The LDAP password to be used to be used in conjunction with the bind user DN by the new SSO server. By default, the installer pre-populates this field with same LDAP value it was given earlier for the smart card setup software. |
Smart card client prerequisites
-
Smart card ActivClient 6.1 or later is installed and configured on each client.
If you have Version 6.2 of ActivClient installed, to use a smart card with the Eclipse integration you need to change the location of the SmartCard Library.
-
Each user has a personal smart card.
-
A smart card reader is attached to the client machine.
