Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision Both sides next revision
tutorial:adm:sso_ad_domain [2020/01/13 12:01]
doischert 		tutorial:adm:sso_ad_domain [2020/02/11 07:23]
doischert
Line 2: Line 2:
  
 CzechIdM supports Single-Sign-On of the AD domain users. The mechanism uses web server, which handles the Kerberos authentication and provides the login of the authenticated user in the HTTP header. Then CzechIdM processes this header and authenticates the user automatically. CzechIdM supports Single-Sign-On of the AD domain users. The mechanism uses web server, which handles the Kerberos authentication and provides the login of the authenticated user in the HTTP header. Then CzechIdM processes this header and authenticates the user automatically.
 +
 +<note important>The SSO implementation works by looking up a username returned by Kerberos in IdM. This means that the user must have the same sAMAccountName in AD and username in IdM. Also, AD is not case-sensitive but IdM is, i. e., if your sAMAccountName is "jnovak", you can log in to AD as "JNovak" but this is not the case in IdM. **Make sure that usernames in IdM are the same as sAMAccountNames in AD, otherwise, SSO will fail.**</note>
  
 If the user is the Application Admin (e.g. has assigned the role superAdminRole), SSO authentication is disabled for security reasons. If the user is the Application Admin (e.g. has assigned the role superAdminRole), SSO authentication is disabled for security reasons.
  • by apeterova