Configuring single sign-on
Introduction
The NSP supports single sign-on, or SSO access, as described in OAUTH2 user authentication. Multiple authentication sources of the same or different type are supported.
Configuring LDAPS or secure AD
TLS certificates for LDAPS communication must be copied to the /tls/ldap directory below the NSP installation directory.
Using LDAPS or AD requires a TLS certficate.
NSP SSO configuration parameters
To configure remote authentication sources, go to Users and System Security settings in the NSP UI.
You set parameters in nsp-config.yml to enable HSTS for secure web-browser access. Table 6-1, SSO parameters, NSP configuration file lists and describes the configuration parameters in the sso subsection, nsp section of the nsp-config.yml file.
Table 6-1: SSO parameters, NSP configuration file
|
Section and parameters |
Description | ||
|---|---|---|---|
|
hsts |
Whether to enable HSTS headers that tell client browsers to use only HTTPS and a valid CA certificate Default: false | ||
|
bruteForceDetection parameters | |||
|
enabled |
Whether to enable brute-force protection Default: true | ||
|
permanentLockout |
Whether to enable permanent user lockout after the maxLoginFailures number of login failures Default: false | ||
|
maxLoginFailures |
Number of allowed login failures before temporary or permanent lockout Default: 5 | ||
|
waitIncrement |
Temporary lockout time, in seconds, after maxLoginFailures failed login attempts reached Default: 60 | ||
|
quickCheck |
Number of milliseconds during which two consecutive login failures enable lockout period defined by minQuickWait parameter Default: 1000 | ||
|
minQuickWait |
Lockout duration, in seconds, triggered by quickCheck violation Default = 60 | ||
|
maxWait |
Maximum temporary lockout duration, in minutes Default: 15 | ||
|
failureResetTime |
Number of hours after which to reset the login-failure counts Default: 12 | ||