Configuring single sign-on

Introduction

The NSP supports single sign-on, or SSO access, as described in OAUTH2 user authentication. Multiple authentication sources of the same or different type are supported.

Note: The descriptive text in the nsp-config.yml file includes additional configuration information.

Configuring LDAPS or secure AD

TLS certificates for LDAPS communication must be copied to the /tls/ldap directory below the NSP installation directory.

Using LDAPS requires that an LDAPS certificate contains the IP or hostname of the LDAP server in the certificate SAN field, and that the same IP or hostname is specified in the nsp-config.yml.

NSP SSO configuration parameters

Table 6-1, SSO parameters, NSP configuration file lists and describes the configuration parameters in the sso subsection, nsp section of the nsp-config.yml file. The table also includes parameters for managing repeated failed login attempts, such as in brute-force attacks; see NSP login protection for information.

See Appendix B, NSP SSO configuration examples for remote authentication configuration examples.

Table 6-1: SSO parameters, NSP configuration file

Section and parameters		Description
authMode		NSP user authentication mode Default: oauth2
hsts		Whether to enable HSTS headers that tell client browsers to use only HTTPS and a valid CA certificate Default: false
sessionIdleTimeout		Number of minutes after which to terminate an idle GUI-client session Note: The value must be equal to or higher than the accessTokenLifeSpan value, or NSP client access may be compromised. The NSP verifies the parameter settings during deployment; however, the sessionIdleTimeout value is configurable after installation using NSP Users and Security, so care must be taken to set the value appropriately. Default: 60
accessTokenLifespan		Client access-token validity duration, in minutes Default: 60
bruteForceDetection parameters
	enabled	Whether to enable brute-force protection Default: true
	permanentLockout	Whether to enable permanent user lockout after the maxLoginFailures number of login failures Default: false
	maxLoginFailures	Number of allowed login failures before temporary or permanent lockout Default: 5
	waitIncrement	Temporary lockout time, in seconds, after maxLoginFailures failed login attempts reached Default: 60
	quickCheck	Number of milliseconds during which two consecutive login failures enable lockout period defined by minQuickWait parameter Default: 1000
	minQuickWait	Lockout duration, in seconds, triggered by quickCheck violation Default = 60
	maxWait	Maximum temporary lockout duration, in minutes Default: 15
	failureResetTime	Number of hours after which to reset the login-failure counts Default: 12
nfmp — NFM-P authentication parameters
enabled		Whether NFM-P is to perform user authentication Default: true if using CAS and deployment includes NFM-P; false otherwise
realms		NFM-P realm list Note: The realm parameters are defunct , and are not to be configured.
	realm	NFM-P authentication realm name; first realm must be named “sam” Default: sam
	display_name	Realm name to display in NSP UI Default: NFM-P 1
ldap — LDAP parameters
enabled		Whether LDAP is to be used for authentication Default: false
servers		List of LDAP servers; specify a server using the parameters below
	type	LDAP server type; valid values are: AD AUTHENTICATED
	name	LDAP server name; text string
	url	LDAP server URL with IP address or hostname and port, for example: ldap://203.0.113.172:389 Default: none
	priority	LDAP server priority, 0 is highest Default: 0
	usernameLdapAttribute	LDAP attribute to map to OAUTH2 username
	rdnLdapAttribute	LDAP attribute to use as rdn for typical user dn, typically cn
	uuidLdapAttribute	LDAP attribute that uniquely identifies LDAP objects
	userObjectClasses	Comma-separated list of user objectClasses
	customUserLdapFilter	Additional filter for user searches
	searchScope	Scope of user search in userDn; valid values are: 1—scope limited to specified userDN 2—scope is entire sub-tree
	security	LDAP server security type; valid values are: SSL None
	timeout	Timeout period for receiving LDAP server response, in milliseconds Default: 5000
	userDn	DN of LDAP tree in which to find users
	userFilter	User filter criteria
	groupDn	DN of LDAP tree in which to find groups
	groupNameLdapAttribute	LDAP attribute to map to user group
	groupsLdapFilter	Groups filter criteria
	groupObjectClasses	Comma-separated list of objectClasses for groups
	groupMembershipLdapAttribute	Group attribute for user search
	groupMembershipUserLdapAttribute	Username attribute in group membership
	groupMemberOfLdapAttribute	User attribute that indicates group membership, usually memberOf
	bind	LDAP bind credentials; for AUTHENTICATED server type only
		dn	Bind user DN
		credential	Bind user credential
radius — RADIUS parameters
enabled		Whether RADIUS is to be used for authentication Default: none
address		Comma-separated list of colon-separated RADIUS-server IP addresses or hostnames and ports; for example: 203.0.113.150:1812,radius-server-a:1812 Default: none
secret		RADIUS server secret You can specify a unique secret for each RADIUS server. Default: none
protocol		Protocol to use—PAP or CHAP Default: none
retries		Maximum number of attempts to reach server Default: 3
timeout		Timeout, in milliseconds, for RADIUS-server connection attempts Default: 5000
vendorId		Vendor ID for VSA search Default: 123
roleVsaId		VSA ID used to identify group Default: 3
nasId		ID of the RADIUS Network Access Server (optional)
nasIp		IP address of the RADIUS Network Access Server (optional)
nasIpv6		IPv6 address of the RADIUS Network Access Server (optional)
tacacs — TACACS+ parameters
enabled		Whether TACACS+ authentication is to be used Default: none
address		Comma-separated list of colon-separated TACACS+-server IP addresses or hostnames and ports; for example: 203.0.113.167:1812,tacacs-server-a:1812 Default: none
secret		Shared TACACS+ server secret The secret must be common to all TACACS+ servers. Default: none
protocol		Protocol to use Default: PAP
timeout		Timeout, in milliseconds, for TACACS+-server connection attempts Default: 7000
defaultGroup		Default group to assign if no group is defined on remote server for user The group is assigned to a TACACS+ user if the vsaEnabled parameter is set to false. Default: none
vsaEnabled		Whether VSA search is enabled If set to true, a user group attribute is expected in the user authentication response/ Default: true
roleVsaId		Role used for VSA search Default: sam-security-group
vsaServiceId		VSA search service identifier Default: sam-app