Setting up Single Sign-On

As a system administrator, you can set up single sign-on (SSO) for the Automation Engine system in Windows and UNIX. SSO allows users to login only once, without having to enter details such as user, department, or password over and over again. The Automation Engine supports Kerberos Key Distribution Center (KDC) and the Security Assertion Markup Language 2.0 (SAML 2.0) protocols.

This page includes the following:

Enabling Single Sign-On

By default, when users log into AWI, the entire authentication process is handled by the Automation Engine to which the instance is connected. AE confirms whether the user credentials match the values in the related User object (USER).

You must enable single sign-on to use either the Kerberos (KDC) or SAML protocol. To do so, in the configuration.properties file of your AWI instance, set the relevant property (sso.kdc.enabled or sso.saml.enabled) property to true. For more information, see configuration.properties.

Login Types

When single sign-on (SSO) is enabled, the AWI login screen has an extra drop-down list with the login types available:

Automation Engine

When you select this login type, the AWI standard login is used. For more information, see Standard Login.

Kerberos

Note: This option is only available if Kerberos is configured locally. For more information, see Setting up Single Sign-On - Kerberos.

When you select Kerberos, the Name, Department, and Password fields are not displayed.

The checkbox Enable autologin allows you choose if you want a fully or partially automatic login.

SAML

Note: This option is only available if SAML is set up in the system behind the connection. For more information, see Setting up Single Sign-On - SAML.

When you select SAML, the Name, and Password fields are irrelevant, but the Department field becomes mandatory.

As soon as a value has been entered in the field Department, the Next button is enabled. Clicking it redirects you to the SAML Identity Provider for authentication and back to AWI with the result.

As with Kerberos, the checkbox Enable autologin allows you to choose if you want a fully or partially automatic login.

Enabling Autologin

When you use single sign-on, either with Kerberos (KDC) or with SAML, the Enable autologin checkbox allows you to decide if you want a fully or partially automatic login.

Note: To login with different credentials or to change your session options, empty your browser cache and restart the Automic Web Interface. A blank login page with all fields is displayed.

See also: