Configuring Single Sign-On (SSO)

Single Sign-On (SSO) allows users in your organization to use OnCommand Insight without needing a special account.

Administrators can configure the OnCommand Insight Server for Single Sign-On (SSO) access for users in their corporate domain. With SSO configured, any user with the domain email address can log into Insight using their corporate credentials. OnCommand Insight supports the OpenID Connect (OIDC) protocol for SSO.

Note: SSO is available for the Insight Server web-based UI only. SSO is not available for Data Warehouse, Reporting, or Java Client UI components.

Steps to Configure SSO

Manage SSL Certificates

You must import the root certificate of your identity provider’s SSL certificate chain. To do so, download the root certificate associated with the host name of the token endpoint. (login.microsoftonline.com for Azure Active Directory) and save it to a file. Then click the “Certificates” button and using the “Manual” tab, select the file and supply an alias such as “sso-root” to import it.”

If SSO is already enabled and you imported a new certificate, you must restart the SANScreen service.

Enabling SSO in the Operating System

To enable SSO on the current system as well as make the ssoAuth system property preserved through upgrade, you must do the following.

To enable SSO on Windows, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\NetApp\SANscreen in the registry. Change the value of ssoAuth from false to true. This value is read during upgrade and used to set the ssoAuth system property for the upgraded system. It has no effect on the current instance; you must also update ssoAuth in HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Apache Software Foundation\Procrun 2.0\SANscreen Server\Parameters\Java Options.

To enable SSO on Linux, navigate to /opt/netapp/oci/conf/ and open file wildfly.properties. Change the value of SSO_AUTH_ENABLED from false to true.

After enabling SSO, restart the SANScreen service.

Troubleshooting SSO Problems

If you receive a "Not Authorized" error, check the server.log for details. You might see this error if Insight reports that authorization fails but the identity provider has authenticated the user properly.

In the event that users cannot log in with SSO, log in as a non-SSO user with Administrator permissions and correct the SSO configuration. You can do this by entering <Your Insight URL>/uiserver/login.html# in a browser window.