SSO AD Integration
Some enterprises have their own Active Directory (AD) or other similar setup and prefer to use those credentials to login into the external applications and platforms. CloudCenter does not support direct AD authentication, and instead supports integration using Single Sign-On (SSO) between the CloudCenter as a Service Provider (SP) and a customer's Identity Provider (IDP) such as ADFS.
CloudCenter supports a multi-tenant model where each vendor is modeled as a tenant. The tenants have a single root hierarchical tree structure. Each tenant has its' own set of users. One of the users is a tenant admin (also referred to as the root admin or platform admin) that has special administrative permissions.
CloudCenter does not authenticate directly to LDAP or AD.
CloudCenter only interacts with LDAP/AD through a SSO IDentity Provider (IDP) that supports SAML 2.0 protocol (for example, Ping Identity, ADFS, Shibboleth, and so forth).
To implement SSO using CloudCenter:
- You must then configure the CCM to re-direct the authentication to the SSO IDP.
- You must also map some additional user custom properties (returned by the SAML IDP) to the user activation profile.
- Once you complete all these steps successfully, CloudCenter automatically assigns the proper user group membership and additional roles and permissions.
CloudCenter 18.104.22.168 ChangeIcon
On Mar. 3, 2017 a certificate used by Single Sign On (SSO) users expired and caused logins to the CCM UI to fail with an invalid username/password error. CloudCenter 22.214.171.124 includes the updated certificate.
Despite a user (User X) being authenticated by an external Identify Provider (IDP), User X also requires a corresponding presence in the CCM VM's user database. In the SSO environment, after User X is authenticated by IDP and uses the CCM VM for the first time, a User X authentication is automatically created in the CCM user database as long as the platform admin has created the tenants and tenant admins.
Each tenant can point to it's own SSO:
- You can configure each tenant to have a dedicated alias hostname and use an external IDP to authenticate its users.
- Each tenant and user has an externalId to associate with an external organization and user.
Handling Deleted Users
If you delete a user from the IDP database, the deleted user cannot log into CloudCenter but any configuration and associated dependencies continue to remain in the CloudCenter platform.
- No labels