Requirements for using single sign-on

Before enabling single sign-on (SSO) for a StorageGRID system, review the requirements in this section.

Attention: Single sign-on (SSO) is not available on the restricted Grid Manager or Tenant Manager ports. You must use the default HTTPS port (443) if you want users to authenticate with single sign-on.

Identity provider requirements

The identity provider (IdP) for SSO must meet the following requirements:

Either of the following versions of Active Directory Federation Service (AD FS):
- AD FS 4.0, included with Windows Server 2016
  Note: Windows Server 2016 should be using the KB3201845 update, or higher.
- AD FS 3.0, included with Windows Server 2012 R2 update, or higher.
Transport Layer Security (TLS) 1.2 or 1.3
Microsoft .NET Framework, version 3.5.1 or higher

Server certificate requirements

StorageGRID uses a Management Interface Server Certificate on each Admin Node to secure access to the Grid Manager, the Tenant Manager, the Grid Management API, and the Tenant Management API. When you configure SSO relying party trusts for StorageGRID in AD FS, you use the server certificate as the signature certificate for StorageGRID requests to AD FS.

If you have not already installed a custom server certificate for the management interface, you should do so now. When you install a custom server certificate, it is used for all Admin Nodes, and you can use it in all StorageGRID relying party trusts.

Note: Using an Admin Node's default server certificate in the AD FS relying party trust is not recommended. If the node fails and you recover it, a new default server certificate is generated. Before you can sign in to the recovered node, you must update the relying party trust in AD FS with the new certificate.

You can access an Admin Node's server certificate by logging in to the command shell of the node and going to the /var/local/mgmt-api directory. A custom server certificate is named custom-server.crt. The node's default server certificate is named server.crt.