Configuring single sign-on

Introduction

The CLM supports single sign-on, or SSO access, as described in . Multiple authentication sources of the same or different type are supported.

Note: The descriptive text in the nsp-config.yml file includes additional configuration information.

Configuring LDAPS or secure AD

TLS certificates for LDAPS communication must be copied to the /tls/ldap directory below the CLM installation directory.

Using LDAPS requires that an LDAPS certificate contains the IP or hostname of the LDAP server in the certificate SAN field, and that the same IP or hostname is specified in the nsp-config.yml.

CLM SSO configuration parameters

Table 9-1, SSO parameters, CLM configuration file lists and describes the configuration parameters in the sso subsection, nsp section of the nsp-config.yml file. You can use the parameters to enable HSTS for secure web-browser access, and configure brute-force detection parameters for managing repeated failed login attempts, as described in CLM login protection.

See for remote authentication configuration examples.

Table 9-1: SSO parameters, CLM configuration file

Section and parameters

Description

hsts

Whether to enable HSTS headers that tell client browsers to use only HTTPS and a valid CA certificate

Default: false

bruteForceDetection parameters

enabled

Whether to enable brute-force protection

Default: true

permanentLockout

Whether to enable permanent user lockout after the maxLoginFailures number of login failures

Default: false

maxLoginFailures

Number of allowed login failures before temporary or permanent lockout

Default: 5

waitIncrement

Temporary lockout time, in seconds, after maxLoginFailures failed login attempts reached

Default: 60

quickCheck

Number of milliseconds during which two consecutive login failures enable lockout period defined by minQuickWait parameter

Default: 1000

minQuickWait

Lockout duration, in seconds, triggered by quickCheck violation

Default = 60

maxWait

Maximum temporary lockout duration, in minutes

Default: 15

failureResetTime

Number of hours after which to reset the login-failure counts

Default: 12

ldap — LDAP parameters

enabled

Whether LDAP is to be used for authentication

Default: false

servers

List of LDAP servers; specify a server using the parameters below

type

LDAP server type; valid values are:

  • AD

  • AUTHENTICATED

name

LDAP server name; text string

url

LDAP server URL with IP address or hostname and port, for example:

ldap://203.0.113.172:389

Default: none

priority

LDAP server priority, 0 is highest

Default: 0

usernameLdapAttribute

LDAP attribute to map to OAUTH2 username, for example, cn, uid, or userPrincipalName

rdnLdapAttribute

LDAP attribute to use as rdn for typical user dn, typically cn

uuidLdapAttribute

LDAP attribute that uniquely identifies LDAP objects

userObjectClasses

Comma-separated list of user objectClasses

customUserLdapFilter

Additional filter for user searches

searchScope

Scope of user search in userDn; valid values are:

  • 1—scope limited to specified userDN

  • 2—scope is entire sub-tree

security

LDAP server security type; valid values are:

  • TLS

  • None

timeout

Timeout period for receiving LDAP server response, in milliseconds

Default: 5000

userDn

DN of LDAP tree in which to find users

userFilter

User filter criteria

groupDn

DN of LDAP tree in which to find groups

groupNameLdapAttribute

LDAP attribute to map to user group

groupsLdapFilter

Groups filter criteria

groupObjectClasses

Comma-separated list of objectClasses for groups

groupMembershipLdapAttribute

Group attribute for user search

groupMembershipUserLdapAttribute

Username attribute in group membership

groupMemberOfLdapAttribute

User attribute that indicates group membership, usually memberOf

bind

LDAP bind credentials; for AUTHENTICATED server type only

dn

Bind user DN

credential

Bind user credential

radius — RADIUS parameters

enabled

Whether RADIUS is to be used for authentication

Default: none

address

Comma-separated list of colon-separated RADIUS-server IP addresses or hostnames and ports; for example:

203.0.113.150:1812,radius-server-a:1812

Default: none

secret

RADIUS server secret

You can specify a unique secret for each RADIUS server.

Default: none

protocol

Protocol to use—PAP or CHAP

Default: none

retries

Maximum number of attempts to reach server

Default: 3

timeout

Timeout, in milliseconds, for RADIUS-server connection attempts

Default: 5000

vendorId

Vendor ID for VSA search

Default: 123

roleVsaId

VSA ID used to identify group

Default: 3

nasId

ID of the RADIUS Network Access Server (optional)

nasIp

IP address of the RADIUS Network Access Server (optional)

nasIpv6

IPv6 address of the RADIUS Network Access Server (optional)

tacacs — TACACS+ parameters

enabled

Whether TACACS+ authentication is to be used

Default: none

address

Comma-separated list of colon-separated TACACS+-server IP addresses or hostnames and ports; for example:

203.0.113.167:1812,tacacs-server-a:1812

Default: none

secret

Shared TACACS+ server secret

The secret must be common to all TACACS+ servers.

Default: none

protocol

Protocol to use

Default: PAP

timeout

Timeout, in milliseconds, for TACACS+-server connection attempts

Default: 7000

defaultGroup

Default group to assign if no group is defined on remote server for user

The group is assigned to a TACACS+ user if the vsaEnabled parameter is set to false.

Default: none

vsaEnabled

Whether VSA search is enabled

If set to true, a user group attribute is expected in the user authentication response/

Default: true

roleVsaId

Role used for VSA search

Default: sam-security-group

vsaServiceId

VSA search service identifier

Default: sam-app