Configure single sign-on
PDF of this doc site
- Get started
Install and maintain appliance hardware
SG100 and SG1000 services appliances
- Prepare for installation (SG100 and SG1000)
SG6000 storage appliances
- Prepare for installation (SG6000)
- Configure hardware (SG6000)
SG5700 storage appliances
- Prepare for installation (SG5700)
- Configure hardware (SG5700)
SG5600 storage appliances
- Prepare for installation (SG5600)
- Configure hardware (SG5600)
- SG100 and SG1000 services appliances
Install and upgrade software
- Upgrade StorageGRID software
- Install Red Hat Enterprise Linux or CentOS
- Install Ubuntu or Debian
Perform system administration
- Manage security settings
- Manage Admin Nodes
- Manage Archive Nodes
Manage objects with ILM
- ILM and object lifecycle
- Create storage grades, storage pools, EC profiles, and regions
- Administer StorageGRID
- Use a tenant account
- S3 REST API supported operations and limitations
Monitor and maintain StorageGRID
Monitor and troubleshoot
- Troubleshoot a StorageGRID system
- Expand your grid
Recover and maintain
Grid node recovery procedures
- Recover from Storage Node failures
- Recover from Admin Node failures
- All grid node types: Replace Linux node
- Grid node decommission
- Network maintenance procedures
- Grid node procedures
- Grid node recovery procedures
Review audit logs
- Audit messages and the object lifecycle
- Monitor and troubleshoot
When single sign-on (SSO) is enabled, users can only access the Grid Manager, the Tenant Manager, the Grid Management API, or the Tenant Management API if their credentials are authorized using the SSO sign-in process implemented by your organization. Local users cannot sign in to StorageGRID.
How single sign-on works
The StorageGRID system supports single sign-on (SSO) using the Security Assertion Markup Language 2.0 (SAML 2.0) standard.
Before enabling single sign-on (SSO), review how the StorageGRID sign-in and sign-out processes are affected when SSO is enabled.
Sign in when SSO is enabled
When SSO is enabled and you sign in to StorageGRID, you are redirected to your organization's SSO page to validate your credentials.
Enter the fully qualified domain name or IP address of any StorageGRID Admin Node in a web browser.
The StorageGRID Sign in page appears.
If this is the first time you have accessed the URL on this browser, you are prompted for an account ID:
If you have previously accessed either the Grid Manager or the Tenant Manager, you are prompted to select a recent account or to enter an account ID:
The StorageGRID Sign in page is not shown when you enter the complete URL for a tenant account (that is, a fully qualified domain name or IP address followed by
/?accountId=20-digit-account-id). Instead, you are immediately redirected to your organization's SSO sign-in page, where you can sign in with your SSO credentials.
Indicate whether you want to access the Grid Manager or the Tenant Manager:
To access the Grid Manager, leave the Account ID field blank, enter 0 as the account ID, or select Grid Manager if it appears in the list of recent accounts.
To access the Tenant Manager, enter the 20-digit tenant account ID or select a tenant by name if it appears in the list of recent accounts.
Select Sign in
StorageGRID redirects you to your organization's SSO sign-in page. For example:
If your SSO credentials are correct:
The identity provider (IdP) provides an authentication response to StorageGRID.
StorageGRID validates the authentication response.
If the response is valid and you belong to a federated group with StorageGRID access permissions, you are signed in to the Grid Manager or the Tenant Manager, depending on which account you selected.
If the service account is inaccessible, you can still sign in, as long as you are an existing user that belongs to a federated group with StorageGRID access permissions.
Optionally, access other Admin Nodes, or access the Grid Manager or the Tenant Manager, if you have adequate permissions.
You do not need to reenter your SSO credentials.
Sign out when SSO is enabled
When SSO is enabled for StorageGRID, what happens when you sign out depends on what you are signed in to and where you are signing out from.
Locate the Sign Out link in the top-right corner of the user interface.
Select Sign Out.
The StorageGRID Sign in page appears. The Recent Accounts drop-down is updated to include Grid Manager or the name of the tenant, so you can access these user interfaces more quickly in the future.
If you are signed in to… And you sign out from… You are signed out of…
Grid Manager on one or more Admin Nodes
Grid Manager on any Admin Node
Grid Manager on all Admin Nodes
Note: If you use Azure for SSO, it might take a few minutes to be signed out of all Admin Nodes.
Tenant Manager on one or more Admin Nodes
Tenant Manager on any Admin Node
Tenant Manager on all Admin Nodes
Both Grid Manager and Tenant Manager
The Grid Manager only. You must also sign out of the Tenant Manager to sign out of SSO.
The Tenant Manager only. You must also sign out of the Grid Manager to sign out of SSO.
|The table summarizes what happens when you sign out if you are using a single browser session. If you are signed in to StorageGRID across multiple browser sessions, you must sign out of all browser sessions separately.|