SSO (Single Sign-On)

Owned by Charlotte Dakin-Norris, created
Last updated: Jan 03, 2023
4 min read

Introduction

SSO (Single Sign-On) is a session and user authentication service that permits a user to utilize one set of login credentials - a username and password, to access multiple applications.

Benefits of using single sign-on include:

  • Mitigate risk for access to 3rd-party sites (user passwords not stored or managed externally)

  • Reduce password fatigue from different username and password combinations

  • Reduce time spent re-entering passwords for the same identity

  • Reduce IT costs due to lower number of IT help desk calls about passwords

Witness uses a plugin on the Management Server to check the specific authentication credentials for an individual user against a dedicated SSO directory server. The server authenticates the end user and provides details on group membership so they are given the appropriate permissions within the Witness application. This also eliminates the need for users to re-enter their credentials when logging into Witness because the information is automatically taken from the user’s session in the operating systems (e.g. Windows).

Currently Witness only supports authenticating the user against Microsoft Active Directory, however an additional plugin to support LDAP (Lightweight Directory Access Protocol) will be available soon.

Contents

Requirements

To enable SSO to authenticate against an Active Directory you must have the following:

  1. An Active Directory domain account that has permission to query the directory. These account details must be entered in the Witness SSO plugin configuration so Witness has permission to access the directory server.

  2. A matching account in Witness and Active Directory (AD). This is linked based on the username, for example if the user name is john.doe in AD then there must be a matching user account in Witness with the same username john.doe.

  3. You need an Active Directory (AD) group to match each of the user groups in Witness. This enables the domain administrators to move users between groups in AD in order to change the users permissions in Witness. Each user group in Witness can be linked to a user group in Active Directory.

Witness User accounts can be allocated a Witness Group, this is part of the normal setup whether using SSO or not. However when using SSO, you can override the user’s default Witness group by moving that user into different linked groups inside AD. When using SSO the user group membership in AD will always override the group membership in Witness.

Enabling SSO

  1. Within Settings > System Settings there is an SSO Settings section. Click the icon to view the settings:

     

  2. The User can now configure or amend the settings to enable Witness to check against an Active Directory / LDAP server for Users and Groups:

     

    Enabled: Select to enable SSO.

    Server: There are several options:

    • Legacy Domain Name

    • Domain Name

    • Server Name

    • Server IP Address

    • Server Name or IP Address with Port

    Container: Can be a Common Name for searching within the directory.

    Username: The Domain / Directory User who can look up Users and Groups within the directory.

    Password: The password of the User.

  3. Within the User Group settings there is an SSO Group Name field. This links this set of Witness permissions with user who are members of the linked AD group.

     

  4. Select Edit to add an SSO Group Name. This name must match the exact name as it appears in the AD, as illustrated below.

     

  5. When logging into Witness, there is an option Enable SSO. Select this to enable SSO.

     

Note that if no AD Groups are linked to Witness groups then SSO will not work. Likewise if the users are not members of any of the linked AD groups then authorisation will fail and the users will not be able to log in.

Once the SSO option is enabled, the user’s Windows username is automatically selected and the password entry is disabled. In addition the option to automatically login is enabled by default when SSO is selected because there is no requirement to enter a username or password. This enables the client application to auto-login the next time the If the login fails, either through a connection failure or failed authorisation, then the auto login will be cancelled and the login prompt will remain visible so the user can make any required changes.

A user can always revert to a normal Witness login by unselecting the Enable SSO option. If administrators wish to prevent users logging in without SSO then they should not share the Witness account password. This way the user can only log in with SSO.

Safety is everything.