Setting up Single Sign-On

As a system administrator, you can set up single sign-on (SSO) for the Automic Automation system in Windows and UNIX. SSO allows users to login only once, without having to enter details such as user, department, or password over and over again. The Automation Engine supports Kerberos Key Distribution Center (KDC) and the Security Assertion Markup Language 2.0 (SAML 2.0) protocols.

This page includes the following:

Enabling and Configuring Single Sign-On

By default, SSO is NOT configured in AWI. This means that, unless configured otherwise, user authentication in AWI is fully handled by the connected Automation Engine. During login, the AE validates the credentials entered by the user against those stored in the corresponding user object (USER).

To use either the Kerberos (KDC) or SAML protocol, you must enable SSO. You do this by editing the configuration.properties file of your AWI instance and setting the appropriate property (sso.kdc.enabled or sso.saml.enabled) to true.

After enabling SSO, you can optionally choose whether to enforce it when users log in.

For more information, see configuration.properties - Configuring Your Local Setup.

Enforcing SSO

You can enforce the secure login requirements defined in your company by disabling basic authentication when either SAML or Kerberos is enabled. This ensures that all users authenticate using the SSO protocol implemented in your company, preventing password-based logins that could bypass security policies.

To enforce SSO, in the configuration.properties file, set the sso.enforced parameter to true. This setting is only available and effective when SAML or Kerberos authentication is enabled. Its behavior when enabled is as follows:

  • The AWI login page allows only SSO methods (SAML/Kerberos); the basic username/password options are hidden or disabled.

  • If this setting is set to true, users can log in only through supported SSO providers, eliminating non-MFA login routes.

  • If this setting is set to true and if autologin is enabled, users can log in only through supported SSO providers . They can also share AWI URLs with other users in the SAML directory. Because the URL includes Department and Client information, recipients can open the same instance and view the relevant content shared with them.

As a result, basic authentication is blocked. Only SSO authentication mechanisms are presented to users.

For more information, see configuration.properties - Configuring Your Local Setup.

Login Types

When single sign-on (SSO) is enabled and NOT enforced, the AWI login screen has an extra drop-down list called Login Type . Users can select whether to log in using basic authentication or the configured SSO protocol (Kerberos or SAML). This means that the available login types are as follows:

  • Automation Engine

    This option is visible only if SSO is NOT enforced. This corresponds to the basic authentication.

  • Kerberos

    If Kerberos is configured, the Name, Department, and Password fields are not displayed on the login dialog.

    Important!

    • You cannot use SSO - Kerberos in the Automic Automation Kubernetes Edition.
    • This option is only available if Kerberos is configured locally. For more information, see Setting up Single Sign-On - Kerberos.

  • SAML

    This option is only available if SAML is set up in the system behind the connection. For more information, see Setting up Single Sign-On - SAML.

    If SAML is configured, the Name, and Password fields are not available and the Department field becomes mandatory. As soon as the user enters a department, the Next button is enabled. Clicking it redirects you to the SAML Identity Provider for authentication and back to AWI with the result.

As with Kerberos, the checkbox Enable autologin allows you to choose if you want a fully or partially automatic login.

SSO and Autologin

If SSO is enabled, the login dialog displays an additional option, namely, Enable autologin. This option lets users decide whether their login to AWI should be fully or partially automated:

  • For a fully automated login, users can select Enable autologin. As a result, they will no longer need to enter the login details in the future.

  • For a partially automated login, users cab leave the Enable autologin checkbox unselected. This means that they can adjust the session settings (Language, Connection, Client) at each login without needing to re-enter the username or password.

For more information, see Logging In and Out.

See also:

This section includes the following pages: