Using Single Sign-On (SSO) for Authentication Only

Download this manual as a PDF file

If you have already created accounts for users in Skylar One, you can use SSO to authenticate one or more of those users. Each time an SSO user tries to access Skylar One, Skylar One will use SSO to authenticate that user.

  1. Each user logs in to Skylar One by entering the URL for the All-In-One Appliance, Administration Portal, or Database Server.
  2. Skylar One examines the URL from which the request originates and applies the appropriate Authentication Profile (and the appropriate Authentication Resource).
  3. If the user is not yet logged in to the SAML IdP:
  • The user will be directed to the login page for the SAML IdP.
  • After successfully logging in to the SAML IdP, the SAML IdP will send a message to Skylar One via the user's browser (a SAML assertion), informing Skylar One that the user is authenticated.
  1. If the user is already logged in to the SAML IdP:
  • The SAML IdP will send a message to Skylar One via the user's browser (a SAML assertion), informing Skylar One that the user is authenticated.
  1. Skylar One displays the user's default page.

Use the following menu options to navigate the Skylar One user interface:

  • To view a pop-out list of menu options, click the menu icon ().
  • To view a page containing all of the menu options, click the Advanced menu icon ().

Required Tasks

To configure Skylar One to automatically create accounts for SSO users, you must perform the following steps:

  1. Create a user account in Skylar One. You can either create the account manually or you can use a user policy to create the account.
  1. Define the SSO Authentication Resource.
  • Specify how Skylar One should communicate with the SSO IdP and exchange information with the SSO IdP.
  • In the Type field, specify the following:
  1. Do not import new users or sync user policies.Skylar One will use SSO only to authenticate users and will not create a new user each time an SSO user attempts to connect to Skylar One.
  1. Define one or more Authentication Profiles that tell Skylar One how to recognize SSO users and which Authentication Resource to use with those users.
  2. After completing these steps:
  • SSO users can attempt to connect to Skylar One by entering the URL for an page.
  • Skylar One will examine the hostname or IP address in the incoming URL request to align the user with an Authentication Profile.
  • The Authentication Profile tells Skylar One which SSO Authentication Resource(s) to use to authenticate the user.
  • The SSO Authentication Resource tells Skylar One the settings to use to communicate with the SSO IdP. The SSO IdP will then attempt to authenticate each user.

Creating a User Account that Will Be Authenticated with SSO

User accounts allow users to log in to Skylar One and access pages and features in Skylar One. If you have already created a user account for a user in SSO, you can create a separate user account for that user in Skylar One and then ask SSO to authenticate the user account.

There are two ways to create a user account in Skylar One:

  • Manually create a user account and define all account settings.
  • Manually create a user account and then apply a user policy to define additional account settings. User policies allow you to define a custom set of account properties and privileges and then save them as a policy.

Both options are described in this section.

Manually Creating a User Account and Manually Defining Account Settings

You can manually create a user account in Skylar One.

If you want to use SSO to authenticate the user when he/she logs in to Skylar One, you must:

  • Manually create a user account in Skylar One.

NOTE: The value in the Account Login Name must match the value of the SAML attribute uid.

To manually create a user account and apply a user policy to that account:

  1. Go to the User Accounts page (Registry > Accounts > User Accounts).
  2. In the User Accounts page, click the Create button.
  3. The page appears.
  4. In the page, enter values in each of the following fields:
  • First Name. User's first name. This value can be up to 24 characters in length.
  • Last Name. User's last name. This value can be up to 24 characters in length.
  • Generate a unique name based on first and last name. Do not select this option.
  • Account Login Name The same value as is stored in the SAML attribute uid.
  • Primary Email. User's email address. This field can be up to 64 characters in length.
  • Password. You can enter any password that meets the minimum security requirements. The password must be at least four characters in length and can be up to 64 characters in length.

NOTE: During authentication, SSO will ignore the value in the Password field and instead use the password stored in the IDP.

  • Confirm Password. The user's password again. This value must be at least four characters in length and can be up to 64 characters in length. This password will be overwritten with the SSO password on first login.
  • Password Strength. Required strength of the user's password. Must be set to Strong. The password will not be able to be changed through Skylar One.
  • Password Expiration. Set this field to Disabled. The password will not be able to be changed through Skylar One.
  • Password Shadowing. Set this field to Default. The password cannot be changed through Skylar One.
  • Require Password Reset. Do not select this option. The password cannot be changed through Skylar One.
  • Multi-Factor Auth (MFA) User. If this user requires a different user name for Multi-factor authentication, enter the MFA user name in this field.

NOTE: : Best practice for SSO includes multi-factor authentication when connecting to the Identity Provider, not when logging in to Skylar One. For details on configuring multi-factor authentication, see the section on using multi-factor authentication.

  • Organization. The organization of which the new user account will be a member. Users can select from among all organizations in Skylar One.
  • Account Type. Specifies whether the user is a member of a user policy. Choices are:
  • Individual. User account is not a member of a user policy.
  • Policy Membership. Select this option. User will be defined with a user policy. When selected, the Policy Membership field becomes active.
  • Login State. Default login state for the user account. The choices are:
  • Suspended. Account is not active. User cannot log in to Skylar One.
  • Active. Account is active. User can log in to Skylar One.
  • Authentication Method. Specifies how the user's username and password will be authenticated. Select one of the following:
  • EM7 Session. User’s user-name and password are authenticated by Skylar One.
  • LDAP/Active Directory. User's username and password are authenticated by an LDAP server or Active Directory server.

NOTE: For users who are authenticated with SSO, you must set the Authentication Method field to LDAP/Active Directory to support automatic user policy alignment updates in case attributes change.

  • Restrict to IP. The user will be allowed to access Skylar One only from the specified IP. Specify the IP address in standard dotted-decimal notation.
  • Time Zone. Select the appropriate time zone to associate with the user account.
  1. Click the Save button to save the new user.

Manually Creating a User Account and Using a User Policy to Define Account Settings

You can manually create a user account and then apply a user template to that user account.

If you want to use SSO to authenticate the user when he/she logs in to Skylar One, you must:

  • Define a user policy before creating the user account. For SSO authentication, there are no requirements for the user policy. You can define the user policy as you wish. For details on creating a user policy, see the Organizations and Users section.
  • Define the user account in Skylar One.

NOTE: The value in the Account Login Name must match the value of the SAML attribute uid.

To manually create a user account and apply a user policy to that account:

  1. Go to the User Accounts page (Registry > Accounts > User Accounts).
  2. In the User Accounts page, click the Create button.
  3. The page appears.
  4. In the page, enter values in each of the following fields:
  • First Name. User's first name. This value can be up to 24 characters in length.
  • Last Name. User's last name. This value can be up to 24 characters in length.
  • Generate name based on first and last name. Do not select this option.
  • Account Login Name The same value as is stored in the SAML attribute uid.
  • Primary Email. User's email address. This field can be up to 64 characters in length.
  • Password. You can any password that meets the minimum security requirements. The password must be at least four characters in length and can be up to 64 characters in length.

    • NOTE: During authentication, SSO will ignore the value in the Password field and instead use the password stored in the IDP.

  • Confirm Password. The user's password again. This value must be at least four characters in length and can be up to 64 characters in length. This password will be overwritten with the SSO password on first login.
  • Password Strength. Required strength of the user's password. Must be set to Strong. The password will not be able to be changed through Skylar One.
  • Password Expiration. Set this field to Disabled. The password will not be able to be changed through Skylar One.
  • Password Shadowing. Set this field to Default. The password cannot be changed through Skylar One.
  • Require Password Reset. Do not select this option. The password cannot be changed through Skylar One.
  • Multi-Factor Auth (MFA) User. If this user requires a different user name for Multi-factor authentication, enter the MFA user name in this field.

NOTE: Best practice for SSO includes multi-factor authentication when connecting to the Identity Provider, not when logging in to Skylar One. For details on configuring multi-factor authentication, see the section on using multi-factor authentication.

  • Organization. The organization of which the new user account will be a member. Users can select from among all organizations in Skylar One.
  • Account Type. Specifies whether the user is a member of a user policy. Choices are:
  • Individual. User account is not a member of a user policy.
  • Policy Membership. Select this option. User will be defined with a user policy. When selected, the Policy Membership field becomes active.

After you select Policy Membership, all remaining fields except Account Templates are disabled. This is because those fields are defined in the user policy.

  • Policy Membership. If you selected Policy Membership in the Account Type field, the Policy Membership field is activated. In this field, you can select a user policy to apply to the new user account.
  • When a user policy is applied to a user's account, the user inherits the Access Keys specified in the user policy. Administrators cannot add additional Access Keys or delete Access Keys from the user's account unless they edit the user policy.
  • When a user policy is edited, each user account that is a member of that template will be dynamically updated.
  1. Click the Save button to save the new user.

Creating an SSO Authentication Resource for Authenticating Users

An Authentication Resource is a configuration policy that describes how Skylar One should communicate with a user store. In this section, the user store is an SSO IdP.

The SSO Auth Resource Editor page allows you to define an Authentication Resource for use with an SSO user store. An SSO Authentication Resource specifies the connector (communication software) to use to communicate with the SAML IdP and the URLs to use to send and retrieve information from the SAML IdP. An SSO Authentication Resource can also map attributes from the user's SSO account to fields in the user account on Skylar One.

Skylar One supports SAML version 2.0.

In the SSO Auth Resource Editor page (System > Settings > Authentication > create/edit SSO Resource), you can:

  • Specify how Skylar One should communicate with the SAML IdP and exchange information with the SAML IdP.

Additionally, Authentication Profiles are policies that align user accounts with one or more Authentication Resource. Authentication Profiles are described later in this section.

To create an SSO authentication resource that authenticates existing users in Skylar One:

  1. Go to the Authentication Resource Manager page (System > Settings > Authentication > Resources).
  2. Click the Actions menu and then select Create SSO Resource. The SSO Auth Resource Editor page appears.
  3. Enter values in the following fields:

Basic Settings

  • Name. Name of the SSO authentication resource.
  • IdP Entity ID. Globally unique name used as a SAML identifier configured on the IdP, usually in the format of an absolute URL.

  • IdP Cert Fingerprint. The SHA1 certificate fingerprint, provided by the identity provider or service provider. Note that this field is not the serial number of the certificate.

    If you supply the IdP certificate when you configure the SSO Authentication Resource, the IdP certificate fingerprint is not required and will not be used for IdP response validation. Instead, the full certificate that you provide in the IdP Certificate field will be used.

  • IdP Certificate. To ensure that communication between the IdP and EM7 is signed, type the full, PEM-encoded certificate from the IdP.
  • User Name Suffix. Optional field. If you don't supply a value in this field, Skylar One retrieves the SAML NameID attribute and uses that value as the ScienceLogic username.
  • You can supply the variable %u in this field, and the Skylar One retrieves the SAML NameID attribute and uses that value as the ScienceLogic user name.
  • You can supply the value %attribute_name%, where attribute name is a SAML attribute other than NameID. Skylar One will use the value of the attribute as the ScienceLogic user name.
  • Because a user can authenticate against multiple SSO servers, there is a risk of collision among user names. In this field, you can enter a string to append to the ScienceLogic user name to minimize risk of collision. For example:
    • You can enter a string, with no SAML attribute specified. When you don't specify a SAML attribute in this field, Skylar Onewill retrieve the SAML NameID attribute and append the string you specify in this field.

    Suppose we entered @sciencelogic.local in this field.

    Suppose the next SSO user logs in to Skylar One with the SAML NameID of bishopbrennan.

    Skylar One will log in that user as bishopbrennan@sciencelogic.local.

    • You can enter one or more SAML attribute names, surrounded by percent signs (%), with text preceding it and/or text appended. Skylar One will retrieve the value of the SAML attribute and use that value plus any preceding text or appended text as the the ScienceLogic user name.

    Suppose we entered %sn%-external in this field.

    Suppose the next SSO user logs in to Skylar One with their SAML sn (last name) attribute of krilly

    Skylar One will log in that user as krilly-external.

A best practice to avoid collisions is to use email addresses as user names.

  • IdP SSO URL. The URL to which Skylar One will send login requests to the IdP. This field must contain an absolute URL.
  • IdP SLS URL. Optional field. If you want each user to be automatically logged out of the IdP when that user logs out of Skylar One, enter the URL to which Skylar One will post the logout request to the IdP. If you leave this field blank, a user can log out of Skylar One without automatically logging out of the IdP.
  • Sync directory values to EM7 on login. If an SSO administrator makes changes to an SSO account, Skylar One will automatically retrieve those updates and apply them to the user's account in the Account Properties page the next time the user logs in to Skylar One. (For more information about user account properties, see the section on Creating and Editing User Accounts.)
  • Signing Options. Specifies whether digital signing is required for communication between the IdP and Skylar One. Choices are:
  • Disable. No digital signature is required.
  • IdP Response. Messages from the IDP to Skylar One must be signed. Skylar One will use the value in the IdP Certificate field to validate the signature.
  • SP Request and IdP Response. Messages from the IDP to Skylar One must be signed. Skylar One will use the value in the IdP Certificate field to validate the signature. Messages from Skylar One to the IdP must also be signed.
  • Strict Mode. If you selected IdP Response or SP Request and IdP Response in the Signing Options field, this field is automatically set to enable. This field enforces validation of the SAML response and its attributes. As a best practice, disable this field while initially configuring Skylar One and the IdP. As a best practice, enable this field for production use.
  • Integrated Windows Auth. If you are using Active Directory Federation Services (ADFS) as your IdP, select Enable in this field.

Attribute Mapping

These fields can be left blank or with their default values.

Skylar One requires that the SAML attribute name that you specify in each field uses all lowercase characters.

User Policy Alignment

  • Type. Select Do not import new users or sync user profiles.

  1. Click the Save button to save your changes to the new authentication resource.

Creating an Authentication Profile

An Authentication Profile is a policy for user authentication. Authentication Profiles align user accounts with one or more Authentication Resources.

  • Alignment by pattern matching. Skylar One uses the URL or IP address that a user enters in a browser to connect to an Administration Portal, Database Server, or All-In-One Appliance. If the URL or IP address matches the criteria specified in an authentication profile, Skylar One will automatically use the matching profile to perform user authentication.
  • Credential Source. Specifies from where Skylar One should extract the username and password or certificate to be authenticated. These credentials are passed to Skylar One via HTTP. Skylar One then passes the credentials to each Authentication Resource specified in the Authentication Profile. The Authentication Resources authenticate the credentials with user stores.
  • Authentication Resource. Specifies the connector to use to communicate with the user store and the URLs to examine during authentication. Also maps attributes from the user's account in the user store to fields in the Skylar One user account.

The Authentication Profiles page allows you to create a new authentication profile. To do so:

  1. Go to the Authentication Profiles page (System > Settings > Authentication > Profiles).
  2. In the Authentication Profiles page, click the Create button.
  3. The Authentication Profile Editor modal page appears. In this page, you can define the new authentication profile.
  • Name. Name of the Authentication Profile.
  • Priority Order. If Skylar One includes multiple Authentication Profiles, Skylar One evaluates the Authentication Profiles in priority order, ascending. Skylar One will apply the first Authentication Profile that matches the Hostname or IP in the current URL AND has the lowest value in the Priority Order field.
  • Pattern Type. Specifies how Skylar One will evaluate the value in the AP Hostname Pattern field. Choices are:
  • Wildcard. Skylar One will perform a text match, with wildcard characters (asterisks).
  • Regex. Skylar One will use regular expressions to compare the AP Hostname Pattern to the current session information.
  • AP Hostname Pattern. This field is used to match the URL or IP address that a user enters in a browser to connect to an Administration Portal, Database Server, or All-In-One Appliance. If the URL or IP address matches the value in this field, Skylar One applies the Authentication Profile to the user for the current session.
  • For example, if you specify "*" (asterisk), any IP address or URL will match. Skylar One will then apply this Authentication Profile to every session on an Administration Portal, Database Server, or All-In-One Appliance.
  • If you enter "192.168.38.235", Skylar One will apply the Authentication Profile to each session on an Administration Portal, Database Server, or All-In-One Appliance where the user enters "192.168.38.235" into the browser.

  • If you enter “*.sciencelogic.local”, Skylar One will apply the Authentication Profile to each session on an Administration Portal, Database Server, or All-In-One Appliance where the user enters a URL ending with ".sciencelogic.local" into the browser.

    Do not include underscores ( _ ) in the AP Hostname Pattern field. URLs with underscores are not considered valid in Skylar One authentication profiles.

  • Available Credential Sources. This field tells Skylar One how to retrieve the user's credentials from the HTTP request to Skylar One. To align a credential source with the Authentication Profile, highlight the credential source and click the right-arrow button. You can select zero, one, or multiple credential sources for the Authentication Profile. Initially, this pane displays a list of all the credential sources:
  • CAC/Client Cert. Skylar One will retrieve a certificate from the HTTP request.
  • EM7 Login Page. Skylar One will retrieve a username and password from the Skylar One login page fields.
  • HTTP Auth. Skylar One will retrieve a username and password from the HTTP request.
  • Aligned Credentials Sources. This field displays the list of credential sources that have been aligned with the Authentication Profile. The Authentication Profile will examine each credential source in the order in which it appears in this list. When the Authentication Profile finds the user's credential, the Authentication Profile stops examining any remaining credential sources in the list.
  • Available Authentication Resources.This field tells Skylar One which Authentication Resources to use to authenticate the retrieved credentials. To align an Authentication Resource with the Authentication Profile, highlight the Authentication Resource and click the right-arrow button. You must select at least one Authentication Resource and can select more than one.
  • Aligned Authentication Resources. This field displays the list of Authentication Resources that have been aligned with the Authentication Profile. The Authentication Profile will examine each Authentication Resource in the order in which it appears in this list. When an Authentication Resource successfully authenticates the user, the Authentication Profile stops executing any remaining Authentication Resources in the list.

  • Available Multi-factor Resources. This field tells EM7 which Multi-factor Resources to use to perform multi-factor authentication. To align an Multi-factor Resource with the Authentication Profile, highlight the Multi-factor Resource and select the right-arrow button. For details on creating a Multi-factor Resource, see the guide for the Multi-factor Resource Editor.

  • Aligned Multi-factor Resources. This field displays the list of Multi-factor Resources that have been aligned with the Authentication Profile. The Authentication Profile will examine each Multi-factor Resources in the order in which it appears in this list. When a Multi-factor Resources successfully authenticates the user, the Authentication Profile stops executing any remaining Multi-factor Resources in the list.

NOTE: Best practice for SSO includes multi-factor authentication when connecting to the Identity Provider, not when logging in to Skylar One. For details on configuring multi-factor authentication, see the section on using multi-factor authentication.

  1. Click the Save button to save your changes to the new authentication profile.

Viewing Metadata

To view the metadata for OneLogin SAML (the EM7 imlementation of SSO), enter the following URL in a browser:

https://hostname_or_ip_of_EM7_appliance/samlsp.em7?action=metadata

Using Your Own SSL Certificate

By default, Skylar One uses a self-signed certificate generated by Skylar One during installation from ISO. Skylar One uses the default SSL certificate from nginx as the certificate for communication with the Identity Provider.

If you want to use your own certificate for communication between Skylar One and the Identity Provider, perform the following:

  1. Go to the console of the Administration Portal or start an SSH session to the Administration Portal.
  2. Either generate a self-signed SSL certificate of type .pem and an SSL key or acquire these files from a certificate authority. Save the certificate files with names that will not conflict with the default files silossl.pem and silossl.key.
  3. Copy the certificate files to the /etc/nginx directory.
  4. Using vi or another text editor, edit the file /etc/nginx/conf.d/em7ngx_web_ui.conf
  5. Edit the following lines:

ssl_certificate /etc/nginx/silossl.pem;

ssl_certificate_key /etc/nginx/silossl.key;

  • Replace silossl.pem with the .pem file for your new certificate.
  • Replace silossl.key with the .key file for your new certificate.
  1. Save and quit the file.