Configuring TOS SSO

Overview

TOS Single Sign On (SSO) enables users to log into SecureTrack and SecureChange with the same user credentials. With TOS SSO enabled, if you are logged into any TOS application (SecureTrack, SecureChange, or SecureApp) you do not need to log in separately to other applications. This allows you to have SecureTrack and SecureChange open in separate browser tabs, and move seamlessly between the applications using the same credentials. If you log out of an application on one tab, all open applications will also log out.

If TOS SSO is enabled, local users must be defined in both SecureChange and SecureTrack with the same user name. Passwords must be defined on both SecureTrack and SecureChange. When the user accesses TOS via the GUI, only the password defined on SecureTrack will be considered. The password defined on SecureChange will be used when this local user uses the SecureChange API.

TOS SSO authentication is only available for users who access TOS applications through the user interface; users who access TOS only though API calls require separate login credentials for each application.

Each user must have the same unique user name on all repositories ( for example, TOS Keycloak, SecureChange, LDAP, SAML, RADIUS). Authentication is done by Keycloak for all TOS applications, while authorization is done by SecureTrack and SecureChange independently.

To receive email notifications, after the initial SSO login you must provide administrator’s email address in the SecureChange settings page under Settings > GENERAL > Mail Notifications:

TOS SSO authentication allows SecureChange users to be authenticated with LDAP, RADIUS, SAML, or TACACS+. Although users can be authenticated by any one of the external servers, authorization for SecureChange users is only possible through their LDAP profile. This means that after a user is externally authenticated, SecureChange must have access to their LDAP profile to authorize them and complete the login process.

It is not available for installations that use SiteMinder for authentication.

As of Release 22-1, new installations have TOS SSO authentication activated by default. If you upgraded from an earlier version of TOS, this feature is not activated by default.

Activating TOS SSO

Run the following command with TOS Admin privileges:

Running this command disables the user interface for a short time.
[<ADMIN> ~]$ sudo tos config set -p tos.sso.enabled=true
sudo tos config set -p tos.sso.enabled=true

When TOS SSO is activated, a single TOS login screen is shown for both SecureTrack and SecureChange.

Disabling TOS SSO

Run the following command with TOS Admin privileges:

Running this command disables the user interface for a short time.
[<ADMIN> ~]$ sudo tos config set -p tos.sso.enabled=false
sudo tos config set -p tos.sso.enabled=false

When TOS SSO is disabled, there are separate login screens for SecureTrack and SecureChange.