Get started
Requirements for using single sign-on
Suggest changes
-
PDF of this doc site
-
Install and upgrade software
-
Install and maintain hardware
-
SG5700 storage appliances
-
SG5600 storage appliances
-
-
Configure and manage
-
Administer StorageGRID
-
-
Use StorageGRID
-
Monitor and troubleshoot
-
Monitor a StorageGRID system
-
-
Collection of separate PDF docs
Creating your file...
Before enabling single sign-on (SSO) for a StorageGRID system, review the requirements in this section.
|
Single sign-on (SSO) is not available on the restricted Grid Manager or Tenant Manager ports. You must use the default HTTPS port (443) if you want users to authenticate with single sign-on. |
Identity provider requirements
The identity provider (IdP) for SSO must meet the following requirements:
-
Either of the following versions of Active Directory Federation Service (AD FS):
-
AD FS 4.0, included with Windows Server 2016
Windows Server 2016 should be using the KB3201845 update, or higher. -
AD FS 3.0, included with Windows Server 2012 R2 update, or higher.
-
-
Transport Layer Security (TLS) 1.2 or 1.3
-
Microsoft .NET Framework, version 3.5.1 or higher
Server certificate requirements
StorageGRID uses a Management Interface Server Certificate on each Admin Node to secure access to the Grid Manager, the Tenant Manager, the Grid Management API, and the Tenant Management API. When you configure SSO relying party trusts for StorageGRID in AD FS, you use the server certificate as the signature certificate for StorageGRID requests to AD FS.
If you have not already installed a custom server certificate for the management interface, you should do so now. When you install a custom server certificate, it is used for all Admin Nodes, and you can use it in all StorageGRID relying party trusts.
|
|
Using an Admin Node's default server certificate in the AD FS relying party trust is not recommended. If the node fails and you recover it, a new default server certificate is generated. Before you can sign in to the recovered node, you must update the relying party trust in AD FS with the new certificate. |
You can access an Admin Node's server certificate by logging in to the command shell of the node and going to the /var/local/mgmt-api directory. A custom server certificate is named custom-server.crt. The node's default server certificate is named server.crt.