Implementing single sign-on

To implement the TrueSight Server Automation single sign-on system, you need the following services:

  • Authentication Service — Used for authenticating user identities and issuing session credentials to authenticated users. The Authentication Service processes all user authentication requests — that is, all requests from the TrueSight Server Automation Console or the blcred utility. All communication with the Authentication Service occurs over TLS. A standard installation of the Application Server includes an Authentication Service. A standard installation of TrueSight Server Automation - Data Warehouse sets up a stand-alone Authentication Server for reports users. SRP authentication is supported by default for all TrueSight Server Automation applications.
  • Application Service — Used for accessing the functionality of the TrueSight Server Automation Application Server. After a client user authenticates, the client application is issued a session credential. A client application (the TrueSight Server Automation Console or the BLCLI) presents the session credential to the Application Service to establish a secure session with one of the targeted services listed within the session credential. All communication with the Application Service occurs over TLS. A standard installation of the Application Server sets up the Application Service.
  • Network Shell Proxy Service — Used for accessing the functionality of a Network Shell proxy server. After a client user authenticates, the client application is issued a session credential. A Network Shell client presents the session credential to the Network Shell Proxy Service to establish a secure session with the Network Shell proxy server. All communication with the Network Shell Proxy Service occurs over TLS. Some configuration is necessary to set up a Network Shell Proxy Service.

To implement single sign-on

Use the following master procedure to implement the single sign-on system. Each of the steps in this procedure references a topic that describes another procedure.

  1. To modify the default behavior of an Authentication Service, see Configuring-the-Authentication-Service.
    A default installation of a TrueSight Server Automation Application Server sets up an Authentication Service to support single sign-on for TrueSight Server Automation client applications.
  2. To modify the default behavior of the Application Service, see Configuring-the-Application-Service.
    A default installation of a TrueSight Server Automation Application Server sets up an Application Service to support single sign-on.
  3. To use a Network Shell proxy server, see Setting-up-a-Network-Shell-proxy-server.
  4. To modify the location of any SSO files used by any TrueSight Server Automation client application, see Setting-override-locations-for-client-SSO-files.
    The files used by the SSO system reside at default locations. If necessary, you can instruct a client application to use different files.
  5. To set up OCSP verification of certificates, see Setting-up-certificate-verification-using-OCSP.
    Currently, OCSP verification is only enabled by default for PKI authentication. You can optionally use OCSP verification for Application Servers provisioned with custom certificates.
  6. To set up the SSO system to support any authentication protocol other than SRP, see any of the following:

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*