Enable Federated Authentication for CMSG with SSO
IDP Configuration
Configuration parameters below are all obtained during the configuration of the IDP. Before configuring Federated Authentication, please ensure that you have an active third-party identity provider configured correctly.
To enroll by the private key and certificate of the Certification Authority:¶
For more information on all the enrollment options, see Preparing for Single Sign-On
Private Key and CA requirement
Ensure that you have the PEM files for the signed certificate, private key and certificate revocation list from the above instructions on Preparing for Single Sign-On, and have uploaded them via sftp to CMSG.
Passphrase Protection
Passphrase protection for CA certificates is not supported.
If you are installing a new CMSG:
- Run this command:
sudo pcoip-cmsg-setup install [...other settings...] --enable-oauth true --id-provider-url https://id.provider.com --oauth-client-id XXXXXXXXX --enable-sso true --sso-signing-csr-ca <path to pem> --sso-signing-csr-key <path to pem> --sso-signing-crl <path to crl>
.
If you are configuring an existing CMSG:
- Run this command:
sudo pcoip-cmsg-setup configure [...other settings...] --enable-oauth true --id-provider-url https://id.provider.com --oauth-client-id XXXXXXXXX --enable-sso true --sso-signing-csr-ca <path to pem> --sso-signing-csr-key <path to pem> --sso-signing-crl <path to crl> --sso-enrollment-url "" --sso-enrollment-domain "" --sso-enrollment-username "" --sso-enrollment-password "" --sso-enrollment-certificate-template-name ""
.
To enroll via Active Directory Certification Authority Web Enrollment:¶
If you are installing a new CMSG:
- Run this command:
sudo pcoip-cmsg-setup install [...other settings...] --enable-oauth true --id-provider-url https://id.provider.com --oauth-client-id XXXXXXXXX --enable-sso true --sso-enrollment-url "$Enrollment_URL" --sso-enrollment-domain "$Domain" --sso-enrollment-username "$User_Name" --sso-enrollment-password "$Password" --sso-enrollment-certificate-template-name "$Template_Name"
.
If you are configuring an existing CMSG:
- Run this command:
sudo pcoip-cmsg-setup configure [...other settings...] --enable-oauth true --id-provider-url https://id.provider.com --oauth-client-id XXXXXXXXX --enable-sso true --sso-enrollment-url "$Enrollment_URL" --sso-enrollment-domain "$Domain" --sso-enrollment-username "$User_Name" --sso-enrollment-password "$Password" --sso-enrollment-certificate-template-name "$Template_Name" --sso-signing-csr-ca "" --sso-signing-csr-key "" --sso-signing-crl ""
.
Installation Flags¶
Flag | Type | Description |
---|---|---|
--enable-oauth |
Boolean | Enables Oauth authentication. (Default=False) |
--id-provider-url |
String | Sets the identity provider URL. Example: --id-provider-url https://provider-1234567890.okta.com . This flag is required if --enable-oauth is true . |
--oauth-client-id |
String | Gets the Client ID from the Identity Provider. This flag is also required if --enable-oauth is "true". |
--fa-url |
String | The Federated Auth Broker URL. for example https://cac-vm-fqdn:port |
--enable-sso |
Boolean | Enables SSO. (Default=False) |
--sso-signing-csr-ca |
String | Path to copy intermediate CA Certificate. |
--sso-signing-csr-key |
String | Path to the intermediate key. |
--sso-signing-crl |
String | Path to a certificate revocation list. |
--sso-enrollment-url |
String | Gets the URL to the Active Directory Certification Authority Web Enrollment Service. |
--sso-enrollment-domain |
String | Domain of the user to access Active Directory Certification Authority Web Enrollment Service. |
--sso-enrollment-username |
String | Username for accessing Active Directory Certification Authority Web Enrollment Service. |
--sso-enrollment-password |
String | Password for the username to access Active Directory Certification Authority Web Enrollment Service. |
--sso-enrollment-certificate-template-name |
String | Name of the certificate template that Active Directory Certification Authority Web Enrollment Service uses to sign CSR. |
For more information on installing or updating CMSG, see Installing for Online Environments and Updating CMSG.
After Completion of Testing¶
After you have completed trying the feature and testing it. We recommend you revoke the Intermediate Signed Certificate and Private Key you generated to enable SSO. HP also recommends removing the certificate, private key, and CRL PEM files you copied to the CMSG in earlier steps.
- Run the command:
sudo pcoip-cmsg-setup configure [...other settings...] --enable-sso false
.