Many organizations utilize an Identity Provider to manage their user authentication and authorization. The Single Sign-On (SSO) feature leverages a
company's existing identity infrastructure to allow authorized users to access resources in SynaMan. Using an Identity Provider is an alternate solution to using
LDAP/AD or creating local users in SynaMan.
Benefits of Using SSO
Users have to remember fewer passwords
Typically, a company portal redirects users to SynaMan's web interface, which streamlines the process of
signing and using applications.
Organizations can use a single set of policies for authentication, such as two-factor authentication.
Prerequisites
SynaMan can be integrated with any Identity Provider that support OAuth 2 along with OpenID Connect (OIDC). The actual Identity Provider could
be on a public cloud or installed within a company's LAN.
Tutorial Videos
In order to get you started quickly, it is recommended you watch the following videos. The first video talks about installing
and configuring KeyKloak server, which is an open source Id Server. The second
video demonstrate integrating SynaMan with KeyKloak.
Configuration
Following is a step-by-step instructions on how to configure KeyKloak with SynaMan.
Download, install and configure KeyKloak server as demonstrated in the first video above. If you're using a different Identity Provider, following
the documentation for that to configure it. In short, you MUST perform the following tasks in the Identity Provider before configuring it with SynaMan.
Create a ClientID for SynaMan.
Create at least two users. Designate of them as the admin account.
Note down the metadata URL for the server. Contact the support for the server's if you're using an Identity Server on a public cloud.
Log in to SynaMan as 'admin'.
Click on the Security tab.
Specify the user id for admin. This user MUST be a valid user in the Identity Server. Save the settings. This is a VERY IMPORTANT step. Failure to
change the user ID will get you locked out of SynaMan.
Click on Single Sign-On tab.
Specify the Auth Metadata URL as provided by your identify provider.
Specify the ClientID.
Client Secret is optional. Only include a client secret if you have configured this client with a secret in your Identity Provider.
Check the box to enable SSO.
Restart SynaMan
Importing Existing Users
Existing users are imported automatically, provided a user ID exists in the Identity Portal matching the existing user name.
Temporarily Disabling SSO
If you forget to modify the user name for the administrator's account, as mentioned above, the only way to gain access is to temporarily disable SSO. This is done
by following the steps below.
Connect to the machine where SynaMan is running.
Using Windows File Explorer, go to $INSTALL_DIR\config folder. $INSTALL_DIR refers to the folder where SynaMan is installed.
Rename OAuthConfig.xml to a different name.
Restart SynaMan
Comparing SSO with LDAP/AD and local login
With the introduction of SSO, now there are three different mechanisms to manage user authentications:
Local users in SynaMan
User credentials that come from an Active Directory/LDAP server
SSO, which comes from an Identity Provider supporting OAuth with OpenID Connect. It is important to note that
using SSO will automatically disable the first two mechanisms.
Following table mentions some differences in all of these mechanisms.
Features
Local Accounts
Active Directory
SSO
User Scope
100% local to SynaMan. Allowing users outside your organization to have an account.
Integrated with your Windows login account. This is typically inside your LAN but could also be on a public cloud.
Integrated with other web portals in your company.
Sessions
Maintained within SynaMan. User will have to log in again once the session expires.
Maintained within SynaMan. User will have to log in again once the session expires.
Maintained by the identity server. Users will stay logged for a longer period of time.
Mixing
Can be mixed with AD/LDAP. Meaning some users can be local while others come from AD.
Can be mixed with local users.
Cannot be mixed with other mechanisms. Using SSO will disable the other two.
