If your company policy supports Single Sign-On (SSO) authentication, Turbonomic enables SSO authentication by using Security Assertion Markup Language (SAML) 2.0.
At a high-level, the process involves:
- Creating external groups or at least one external user for SSO. See “Managing User Accounts” in the Turbonomic User Guide.
- Configuring Turbonomic to connect to the SAML Identity Provider (IdP). See Configuring Single Sign-On
When SSO is enabled, use your SSO credentials to log in to your Turbonomic instance. Do not use your local or Active Directory (AD) credentials for the login. The Identity Provider (IdP) will perform the authentication.
NOTE: When you enable SSO, Turbonomic only accepts authentication from the IdP you configure. Remote requests via the Turbonomic REST API do not use SSO. For security reasons, those REST API requests will not execute while SSO is enabled. As a result, integrations which use the REST API will not work on the Turbonomic instance where SSO is enabled.
***As of v6.4.4 of Turbonomic you have the option to enable both SSO and access the REST API, look at step 7 below for the details of how to do this.
Configuring Single Sign-On
To configure Single Sign-On, perform these steps:
IMPORTANT: When SSO is enabled, Turbonomic only permits logins via the SSO IdP. Whenever you navigate to your Turbonomic installation, it redirects you to the SSO Identity Provider (IdP) for authentication before displaying the Turbonomic user interface.
Before you enable SSO for your Turbonomic installation, you must configure at least one SSO user with Turbo‐nomic administrator privileges. If you do not, then once you enable SSO you will not be able to configure any SSO users in Turbonomic.
To authorize an SSO user as an administrator, use EXTERNAL AUTHENTICATION to do one of the following:
Configure a single SSO user with administrator authorization.
Add an external user. The username must match an account that is managed by the IdP.
Configure an SSO user group with administrator authorization.
Add an external group. The group name must match a user group on the IdP, and that group must have at least one member.
For information about creating external groups or external users for SSO, see “Managing User Accounts" theTurbonomic User Guide.
For instructions see Best Practices Synchronizing Time
cp /srv/tomcat/data/config/saml.template.properties /srv/tomcat/data/config/
Run the config_saml.sh script to parse the values in the properties file and transfer them to the SAML configuration file, saml-security.xml.
The public domain default key store only trusts two public IdPs, Okta and SSO Circle. If you are using a proprietary IdP or other public IdPs, contact your security administrator to add the IdP certificates to the default key store. Default key store location:
Key store password: nalle123
Run the commands below to import the custom IdP certificate:
-paste contents of the IdP certificate into the file and save it
keytool -importcert -alias <alias_name> -file /tmp/cert_name.crt -keystore samlKeystore.jks
-type key store password above
-type yes to confirm
keytool -list -keystore samlKeystore.jks (this will confirm the new certificate is in the keystore)
-type key store password above
12. Restart the Tomcat service.
service tomcat stop
service tomcat start
Example of IdP Metadata
This section provides an example of IdP metadata which may be useful when you are examining the optional attributes in your metadata.
If your metadata includes optional attribute tags that are not listed in the example, remove those optional attribute tags since they are invalid.
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://www.okta.com/exkexl6xc9MhzqiC30h7"> <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <md:KeyDescriptor use="signing">
All authentication/authorisation errors are logged in the /var/log/audit/audit.log file
If for some reason you no longer want to use SSO, you can disable it for your Turbonomic installation. To disable Single Sign-On, perform these steps:
The directory is: /srv/tomcat/data/config
The metadata file: /srv/tomcat/data/config/saml.xml
The SAML configuration file: /srv/tomcat/data/config/saml-security.xml
The SAML properties file: /srv/tomcat/data/config/saml.properties
a) Navigate to the Turbonomic User Interface.
You will no longer be redirected to your IdP for authentication. You will be redirected to the default Turbo- nomic login screen.
b) Log in with a local account or an Active Directory (AD) account.
Support for Single Logout
If you are using the SSO feature, Turbonomic supports the Single Logout feature provided by Security Assertion Markup Language (SAML) 2.0. When you click Logout in the Turbonomic session that has SSO enabled, the SAML 2.0 Single Logout feature terminates the Turbonomic session, the browser session, the Identity Provider (IdP) session, and sessions at other Service Providers (SP) connected to the same IdP session.
If you want to use this feature, contact your security administrator to configure it.
The following are the requirements:
- The Single Logout setting must be enabled on the IdP.
- The IdP needs to trust the Turbonomic SAML key store certificate.
If the IdP does not enable or support Single Logout, you need to manually log out from the IdP to fully log out from Turbonomic.
If you close the browser without clicking Logout or if your browser session times out, you can log in again provided the Turbonomic or the IDP session is valid.
Managing User Accounts
As an administrator, you specify accounts that grant users specific access to Turbonomic. User accounts determine the following for a given user login:
- User Authentication
To configure an account, you set the type of authentication the account will use:
- Local User – Configure the username and password and save those credentials on the Turbonomic server.
- External User – Single user accounts that authenticate through Single Sign-on (SSO) or through Microsoft Active Directory (AD).
- External Group – User group accounts that authenticate through SSO or AD.
- User AuthorizationProperties that determine the range of access and features for a given user:
- Role – Access to specific Turbonomic features
- Type – Dedicated user or tenant on a virtual datacenter Scope – How much of the environment this user can manage
- Scope – How much of the environment this user can manage