Configuring SSO Access

This topic provides instructions for configuring Anzo to enable single sign-on (SSO) access using one of the following SSO providers:

  • Direct and Indirect Basic
  • Direct and Indirect Kerberos
  • Facebook
  • JSON Web Tokens (JWT) Header and Parameter
  • OpenID Connect (OIDC)
  • Security Assertion Markup Language (SAML)

Follow the instructions below to configure a provider.

  1. In the Anzo console, expand the Administration menu and click SSO Config. Anzo displays the Single Sign On screen, which lists any existing SSO providers. For example:

  2. To add a provider, click the Create button and select the type of provider to configure. Anzo opens the Create dialog box for that provider. Complete the required fields and supply any of the relevant optional information. The list below provides details about the properties for each provider. Click a name to view the details for that provider:

    This section describes the settings that are available on the Create Direct Basic Provider screen:

    • Title: Required field that specifies the name for this provider configuration.
    • Description: Optional field that provides a description for this provider configuration.
    • Enable on matched container ID: Required field that lists the container ID(s) to match. This provider will be active if the request container ID matches one of the container IDs specified in this property. Click the field and select a container ID from the drop-down list. To specify multiple IDs, click the field again and select another value. To remove a container from the list, click the X on the right of the container name.
    • Realm Name: Optional field that specifies the name of the security realm.
    • Enable on match regex: Optional field that defines regular expression rules for matching request URLs to enable. To add a rule, type an expression in the field and click Add. This provider will be active if the request URL matches any of the supplied expressions. If Enable on match regex is blank, the provider will be active by default.
    • Disable on match regex: Optional field that defines regular expression rules for matching request URLs to disable. To add a rule, type an expression in the field and click Add. This provider will be inactive if the request URL matches any of the supplied expressions. If Disable on match regex is blank, the provider will be active by default.
    • Email Template regex: If email was specified as the User Identifier, you can use this optional field to include a regular expression to use for identifying variations between email addresses stored by the SSO provider and email addresses returned by the directory server.
    • Email Template Replacement: Optional field that specifies a replacement email template to use if there are variations found by Email Template regex.
    • User Template regex: If user was specified as the User Identifier, you can use this optional field to include a regular expression to use for identifying variations between user names stored by the SSO provider and user names returned by the directory server.
    • User Template Replacement: Optional field that specifies a replacement user template to use if there are variations found by User Template regex.
    • Use username directly:
    • Skip CSRF check: Optional property that specifies whether to perform a cross-site request forgery (CSRF) check.
    • LDAP domain: Optional field that specifies the LDAP domain to use for user lookup.
    • LDAP email property: Optional field that specifies the LDAP email property to use to find the associated user. For example, http://openanzo.org/ontologies/2008/07/Anzo#ldapEmailInfo.

    This section describes the settings that are available on the Create Direct Kerberos Provider screen:

    • Title: Required field that specifies the name for this provider configuration.
    • Description: Optional field that provides a description for this provider configuration.
    • Enable on matched container ID: Required field that lists the container ID(s) to match. This provider will be active if the request container ID matches one of the container IDs specified in this property. Click the field and select a container ID from the drop-down list. To specify multiple IDs, click the field again and select another value. To remove a container from the list, click the X on the right of the container name.
    • Service Principal: Required field that specifies the service and DNS name for the application. For authentication through the web browser, specify the service principal value in the following format: 
      HTTP/fully_qualified_domain_name@domain

      For example, HTTP/server.example.com@example.com.

      Note: The keytab file must contain the key for this principal.

    • Keytab: Required field that specifies the .keytab file that lists the Kerberos principals and encrypted keys. Click the Keytab field to open the File Location dialog box and select the keytab file.
    • Realm: Optional field that specifies the Kerberos realm that the service principal maps to.
    • KRB Configuration: Optional field that specifies the path and file name for the krb5.conf file on the Kerberos instance. The default location is /etc/krb5.conf.
    • KDC: Optional field that specifies the domain name for the Key Distribution Center.
    • Debug mode: Optional field that specifies whether Kerberos debug logging is enabled for your provider.
    • Enable on match regex: Optional field that defines regular expression rules for matching request URLs to enable. To add a rule, type an expression in the field and click Add. This provider will be active if the request URL matches any of the supplied expressions. If Enable on match regex is blank, the provider will be active by default.
    • Disable on match regex: Optional field that defines regular expression rules for matching request URLs to disable. To add a rule, type an expression in the field and click Add. This provider will be inactive if the request URL matches any of the supplied expressions. If Disable on match regex is blank, the provider will be active by default.
    • Email Template regex: If email was specified as the User Identifier, you can use this optional field to include a regular expression to use for identifying variations between email addresses stored by the SSO provider and email addresses returned by the directory server.
    • Email Template Replacement: Optional field that specifies a replacement email template to use if there are variations found by Email Template regex.
    • User Template regex: If user was specified as the User Identifier, you can use this optional field to include a regular expression to use for identifying variations between user names stored by the SSO provider and user names returned by the directory server.
    • User Template Replacement: Optional field that specifies a replacement user template to use if there are variations found by User Template regex.
    • Use username directly:
    • Skip CSRF check: Optional property that specifies whether to perform a cross-site request forgery (CSRF) check.
    • LDAP domain: Optional field that specifies the LDAP domain to use for user lookup.
    • LDAP email property: Optional field that specifies the LDAP email property to use to find the associated user. For example, http://openanzo.org/ontologies/2008/07/Anzo#ldapEmailInfo.

    This section describes the settings that are available on the Create Facebook Provider screen:

    • Title: Required field that specifies the name for this provider configuration.
    • Description: Optional field that provides a description for this provider configuration.
    • Enable on matched container ID: Required field that lists the container ID(s) to match. This provider will be active if the request container ID matches one of the container IDs specified in this property. Click the field and select a container ID from the drop-down list. To specify multiple IDs, click the field again and select another value. To remove a container from the list, click the X on the right of the container name.
    • Client ID:
    • Secret:
    • Confirm Password:
    • Enable on login page: Optional field that specifies whether to enable a link for this provider on the Anzo login screen.
    • Callback URL: Required field that specifies the URL for the provider to use to redirect users back to the Anzo application after a successful login.
    • Callback URL port replacement: Optional field that specifies the port to use for the Callback URL.
    • User Identifier: Optional field that specifies the SSO provider attribute, such as email or username, to use for looking up users in the directory server.
    • Email Template regex: If email was specified as the User Identifier, you can use this optional field to include a regular expression to use for identifying variations between email addresses stored by the SSO provider and email addresses returned by the directory server.
    • Email Template Replacement: Optional field that specifies a replacement email template to use if there are variations found by Email Template regex.
    • User Template regex: If user was specified as the User Identifier, you can use this optional field to include a regular expression to use for identifying variations between user names stored by the SSO provider and user names returned by the directory server.
    • User Template Replacement: Optional field that specifies a replacement user template to use if there are variations found by User Template regex.
    • Use username directly:
    • Skip CSRF check: Optional property that specifies whether to perform a cross-site request forgery (CSRF) check.
    • LDAP domain: Optional field that specifies the LDAP domain to use for user lookup.
    • LDAP email property: Optional field that specifies the LDAP email property to use to find the associated user. For example, http://openanzo.org/ontologies/2008/07/Anzo#ldapEmailInfo.
    • Icon: Optional property that specifies an SSO icon to use on the Anzo login screen. To select an image file, click the Icon field and select Add File.

    This section describes the settings that are available on the Create Indirect Basic Provider screen:

    • Title: Required field that specifies the name for this provider configuration.
    • Description: Optional field that provides a description for this provider configuration.
    • Enable on matched container ID: Required field that lists the container ID(s) to match. This provider will be active if the request container ID matches one of the container IDs specified in this property. Click the field and select a container ID from the drop-down list. To specify multiple IDs, click the field again and select another value. To remove a container from the list, click the X on the right of the container name.
    • Realm Name: Optional field that specifies the name of the security realm.
    • Enable on login page: Optional field that specifies whether to enable a link for this provider on the Anzo login screen.
    • Callback URL: Required field that specifies the URL for the provider to use to redirect users back to the Anzo application after a successful login.
    • Callback URL port replacement: Optional field that specifies the port to use for the Callback URL.
    • User Identifier: Optional field that specifies the SSO provider attribute, such as email or username, to use for looking up users in the directory server.
    • Email Template regex: If email was specified as the User Identifier, you can use this optional field to include a regular expression to use for identifying variations between email addresses stored by the SSO provider and email addresses returned by the directory server.
    • Email Template Replacement: Optional field that specifies a replacement email template to use if there are variations found by Email Template regex.
    • User Template regex: If user was specified as the User Identifier, you can use this optional field to include a regular expression to use for identifying variations between user names stored by the SSO provider and user names returned by the directory server.
    • User Template Replacement: Optional field that specifies a replacement user template to use if there are variations found by User Template regex.
    • Use username directly:
    • Skip CSRF check: Optional property that specifies whether to perform a cross-site request forgery (CSRF) check.
    • LDAP domain: Optional field that specifies the LDAP domain to use for user lookup.
    • LDAP email property: Optional field that specifies the LDAP email property to use to find the associated user. For example, http://openanzo.org/ontologies/2008/07/Anzo#ldapEmailInfo.
    • Icon: Optional property that specifies an SSO icon to use on the Anzo login screen. To select an image file, click the Icon field and select Add File.

    This section describes the settings that are available on the Create Indirect Kerberos Provider screen:

    • Title: Required field that specifies the name for this provider configuration.
    • Description: Optional field that provides a description for this provider configuration.
    • Enable on matched container ID: Required field that lists the container ID(s) to match. This provider will be active if the request container ID matches one of the container IDs specified in this property. Click the field and select a container ID from the drop-down list. To specify multiple IDs, click the field again and select another value. To remove a container from the list, click the X on the right of the container name.
    • Service Principal: Required field that specifies the service and DNS name for the application. For authentication through the web browser, specify the service principal value in the following format: 
      HTTP/fully_qualified_domain_name@domain

      For example, HTTP/server.example.com@example.com.

      Note: The keytab file must contain the key for this principal.

    • Keytab: Required field that specifies the .keytab file that lists the Kerberos principals and encrypted keys. Click the Keytab field to open the File Location dialog box and select the keytab file.
    • Realm: Optional field that specifies the Kerberos realm that the service principal maps to.
    • KRB Configuration: Optional field that specifies the path and file name for the krb5.conf file on the Kerberos instance. The default location is /etc/krb5.conf.
    • KDC: Optional field that specifies the domain name for the Key Distribution Center.
    • Debug mode: Optional field that specifies whether Kerberos debug logging is enabled for your provider.
    • Enable on login page: Optional field that specifies whether to enable a link for this provider on the Anzo login screen.
    • Callback URL: Required field that specifies the URL for the provider to use to redirect users back to the Anzo application after a successful login.
    • Callback URL port replacement: Optional field that specifies the port to use for the Callback URL.
    • User Identifier: Optional field that specifies the SSO provider attribute, such as email or username, to use for looking up users in the directory server.
    • Email Template regex: If email was specified as the User Identifier, you can use this optional field to include a regular expression to use for identifying variations between email addresses stored by the SSO provider and email addresses returned by the directory server.
    • Email Template Replacement: Optional field that specifies a replacement email template to use if there are variations found by Email Template regex.
    • User Template regex: If user was specified as the User Identifier, you can use this optional field to include a regular expression to use for identifying variations between user names stored by the SSO provider and user names returned by the directory server.
    • User Template Replacement: Optional field that specifies a replacement user template to use if there are variations found by User Template regex.
    • Use username directly:
    • Skip CSRF check: Optional property that specifies whether to perform a cross-site request forgery (CSRF) check.
    • LDAP domain: Optional field that specifies the LDAP domain to use for user lookup.
    • LDAP email property: Optional field that specifies the LDAP email property to use to find the associated user. For example, http://openanzo.org/ontologies/2008/07/Anzo#ldapEmailInfo.
    • Icon: Optional property that specifies an SSO icon to use on the Anzo login screen. To select an image file, click the Icon field and select Add File.

    This section describes the settings that are available on the Create JWT Header Provider screen:

    • Title: Required field that specifies the name for this provider configuration.
    • Description: Optional field that provides a description for this provider configuration.
    • Enable on matched container ID: Required field that lists the container ID(s) to match. This provider will be active if the request container ID matches one of the container IDs specified in this property. Click the field and select a container ID from the drop-down list. To specify multiple IDs, click the field again and select another value. To remove a container from the list, click the X on the right of the container name.
    • Header Prefix:
    • Header Name:
    • Signing Secret: Required field
    • Key Algorithm:
    • Encryption Method:
    • Encryption Secret:
    • Enable on match regex: Optional field that defines regular expression rules for matching request URLs to enable. To add a rule, type an expression in the field and click Add. This provider will be active if the request URL matches any of the supplied expressions. If Enable on match regex is blank, the provider will be active by default.
    • Disable on match regex: Optional field that defines regular expression rules for matching request URLs to disable. To add a rule, type an expression in the field and click Add. This provider will be inactive if the request URL matches any of the supplied expressions. If Disable on match regex is blank, the provider will be active by default.
    • Email Template regex: If email was specified as the User Identifier, you can use this optional field to include a regular expression to use for identifying variations between email addresses stored by the SSO provider and email addresses returned by the directory server.
    • Email Template Replacement: Optional field that specifies a replacement email template to use if there are variations found by Email Template regex.
    • User Template regex: If user was specified as the User Identifier, you can use this optional field to include a regular expression to use for identifying variations between user names stored by the SSO provider and user names returned by the directory server.
    • User Template Replacement: Optional field that specifies a replacement user template to use if there are variations found by User Template regex.
    • Use username directly:
    • Skip CSRF check: Optional property that specifies whether to perform a cross-site request forgery (CSRF) check.
    • LDAP domain: Optional field that specifies the LDAP domain to use for user lookup.
    • LDAP email property: Optional field that specifies the LDAP email property to use to find the associated user. For example, http://openanzo.org/ontologies/2008/07/Anzo#ldapEmailInfo.

    This section describes the settings that are available on the Create JWT Parameter Provider screen:

    • Title: Required field that specifies the name for this provider configuration.
    • Description: Optional field that provides a description for this provider configuration.
    • Enable on matched container ID: Required field that lists the container ID(s) to match. This provider will be active if the request container ID matches one of the container IDs specified in this property. Click the field and select a container ID from the drop-down list. To specify multiple IDs, click the field again and select another value. To remove a container from the list, click the X on the right of the container name.
    • Parameter Name:
    • Supports GET request:
    • Supports POST request:
    • Signing Secret:
    • Key Algorithm:
    • Encryption Algorithm:
    • Encryption Method:
    • Encryption Secret:
    • Enable on match regex: Optional field that defines regular expression rules for matching request URLs to enable. To add a rule, type an expression in the field and click Add. This provider will be active if the request URL matches any of the supplied expressions. If Enable on match regex is blank, the provider will be active by default.
    • Disable on match regex: Optional field that defines regular expression rules for matching request URLs to disable. To add a rule, type an expression in the field and click Add. This provider will be inactive if the request URL matches any of the supplied expressions. If Disable on match regex is blank, the provider will be active by default.
    • Email Template regex: If email was specified as the User Identifier, you can use this optional field to include a regular expression to use for identifying variations between email addresses stored by the SSO provider and email addresses returned by the directory server.
    • Email Template Replacement: Optional field that specifies a replacement email template to use if there are variations found by Email Template regex.
    • User Template regex: If user was specified as the User Identifier, you can use this optional field to include a regular expression to use for identifying variations between user names stored by the SSO provider and user names returned by the directory server.
    • User Template Replacement: Optional field that specifies a replacement user template to use if there are variations found by User Template regex.
    • Use username directly:
    • Skip CSRF check: Optional property that specifies whether to perform a cross-site request forgery (CSRF) check.
    • LDAP domain: Optional field that specifies the LDAP domain to use for user lookup.
    • LDAP email property: Optional field that specifies the LDAP email property to use to find the associated user. For example, http://openanzo.org/ontologies/2008/07/Anzo#ldapEmailInfo.

    This section describes the settings that are available on the Create Open ID Connect Provider screen:

    • Title: Required field that specifies the name for this provider configuration.
    • Description: Optional field that provides a description for this provider configuration.
    • Enable on matched container ID: Required field that lists the container ID(s) to match. This provider will be active if the request container ID matches one of the container IDs specified in this property. Click the field and select a container ID from the drop-down list. To specify multiple IDs, click the field again and select another value. To remove a container from the list, click the X on the right of the container name.
    • Client ID: Required field that specifies client ID or consumer key value from the provider application.
    • Secret: Required field that specifies the client secret from the provider application.
    • Confirm Password: Required field
    • Discovery URI: Required field
    • Scope: Optional field that specifies the scope to send to the authorization endpoint with the request.
    • Preferred JWS Algorithm: Optional field
    • Enable on login page: Optional field that specifies whether to enable a link for this provider on the Anzo login screen.
    • Callback URL: Required field that specifies the URL for the provider to use to redirect users back to the Anzo application after a successful login.
    • Callback URL port replacement: Optional field that specifies the port to use for the Callback URL.
    • User Identifier: Optional field that specifies the SSO provider attribute, such as email or username, to use for looking up users in the directory server.
    • Email Template regex: If email was specified as the User Identifier, you can use this optional field to include a regular expression to use for identifying variations between email addresses stored by the SSO provider and email addresses returned by the directory server.
    • Email Template Replacement: Optional field that specifies a replacement email template to use if there are variations found by Email Template regex.
    • User Template regex: If user was specified as the User Identifier, you can use this optional field to include a regular expression to use for identifying variations between user names stored by the SSO provider and user names returned by the directory server.
    • User Template Replacement: Optional field that specifies a replacement user template to use if there are variations found by User Template regex.
    • Use username directly:
    • Skip CSRF check: Optional property that specifies whether to perform a cross-site request forgery (CSRF) check.
    • LDAP domain: Optional field that specifies the LDAP domain to use for user lookup.
    • LDAP email property: Optional field that specifies the LDAP email property to use to find the associated user. For example, http://openanzo.org/ontologies/2008/07/Anzo#ldapEmailInfo.
    • Icon: Optional property that specifies an SSO icon to use on the Anzo login screen. To select an image file, click the Icon field and select Add File.

    This section describes the settings that are available on the Create SAML Provider screen:

    • Title: Required field that specifies the name for this provider configuration.
    • Description: Optional field that provides a description for this provider configuration.
    • Enable on matched container ID: Required field that lists the container ID(s) to match. This provider will be active if the request container ID matches one of the container IDs specified in this property. Click the field and select a container ID from the drop-down list. To specify multiple IDs, click the field again and select another value. To remove a container from the list, click the X on the right of the container name.
    • Identity Provider Metadata: Required field that specifies the identity provider metadata .xml file. To add the file, click the Identity Provider Metadata field, click Add File, and select the file.
    • Service Provider Entity ID:
    • Service Provider Metadata: Optional field that specifies the server provider metadata .xml file. To add the file, click the Server Provider Metadata field, click Add File, and select the file.
    • Maximum Authentication Lifetime (s):
    • Enable on login page: Optional field that specifies whether to enable a link for this provider on the Anzo login screen.
    • Callback URL: Required field that specifies the URL for the provider to use to redirect users back to the Anzo application after a successful login.
    • Callback URL port replacement: Optional field that specifies the port to use for the Callback URL.
    • User Identifier: Optional field that specifies the SSO provider attribute, such as email or username, to use for looking up users in the directory server.
    • Email Template regex: If email was specified as the User Identifier, you can use this optional field to include a regular expression to use for identifying variations between email addresses stored by the SSO provider and email addresses returned by the directory server.
    • Email Template Replacement: Optional field that specifies a replacement email template to use if there are variations found by Email Template regex.
    • User Template regex: If user was specified as the User Identifier, you can use this optional field to include a regular expression to use for identifying variations between user names stored by the SSO provider and user names returned by the directory server.
    • User Template Replacement: Optional field that specifies a replacement user template to use if there are variations found by User Template regex.
    • Use username directly:
    • Skip CSRF check: Optional property that specifies whether to perform a cross-site request forgery (CSRF) check.
    • LDAP domain: Optional field that specifies the LDAP domain to use for user lookup.
    • LDAP email property: Optional field that specifies the LDAP email property to use to find the associated user. For example, http://openanzo.org/ontologies/2008/07/Anzo#ldapEmailInfo.
    • Icon: Optional property that specifies an SSO icon to use on the Anzo login screen. To select an image file, click the Icon field and select Add File.
  3. Click Save to save the provider configuration.