On This Page
TOS SSO Authentication for SecureTrack and SecureChange
Overview
TOS Single Sign On (SSO) enables users to log into SecureTrack and SecureChange with the same user credentials. With TOS SSO enabled, if you are logged into any TOS application (SecureTrack, SecureChange, or SecureApp) you do not need to log in separately to other applications. This allows you to have SecureTrack and SecureChange open in separate browser tabs, and move seamlessly between the applications using the same credentials. If you log out of an application on one tab, all open applications will also log out.
If TOS SSO is enabled, local users must be defined in both SecureChange and SecureTrack with the same user name. Passwords must be defined on both SecureTrack and SecureChange. When the user accesses TOS via the GUI, only the password defined on SecureTrack will be considered. The password defined on SecureChange will be used when this local user uses the SecureChange API.
TOS SSO authentication is only available for users who access TOS applications through the user interface; users who access TOS only though API calls require separate login credentials for each application.
Each user must have the same unique user name on all repositories ( for example, TOS Keycloak, SecureChange, LDAP, SAML, RADIUS). Authentication is done by Keycloak for all TOS applications, while authorization is done by SecureTrack and SecureChange independently.
TOS SSO authentication allows SecureChange users to be authenticated with LDAP, RADIUS, SAML, or TACACS+. Although users can be authenticated by any one of the external servers, authorization for SecureChange users is only possible through their LDAP profile. This means that after a user is externally authenticated, SecureChange must have access to their LDAP profile to authorize them and complete the login process.
It is not available for installations that use SiteMinder for authentication.
As of Release 22-1, new installations have TOS SSO authentication activated by default. If you upgraded from an earlier version of TOS, this feature is not activated by default.
Activating TOS SSO
Run the following command with TOS Admin privileges:
[<ADMIN> ~]$ sudo tos config set -p tos.sso.enabled=true
When TOS SSO is activated, a single TOS login screen is shown for both SecureTrack and SecureChange.
Disabling TOS SSO
Run the following command with TOS Admin privileges:
[<ADMIN> ~]$ sudo tos config set -p tos.sso.enabled=false
When TOS SSO is disabled, there are separate login screens for SecureTrack and SecureChange.