Configuring External SSO Authentication for SecureChange

Organizations can integrate SecureChange into their Identity Management systems with single sign-on (SSO). SecureChange supports a header-based SSO implementation in which an SSO agent or Policy Enforcement Point (PEP) authenticates the user. If authentication is successful, the agent sends SecureChange an HTTP header with the user name in plain text.

It is your organization’s responsibility to ensure that access to SecureChange is possible only via the single sign-on (SSO) agent or Policy Enforcement Point (PEP): It should not be possible to access SecureChange without successful authentication by your SSO agent or Policy Enforcement Point (PEP).

To have your LDAP users authenticate to SecureChange with single sign-on (SSO), you must have an SSO agent installed in your environment, and the SSO agent must send an HTTP header with the username to SecureChange. You must enter the name of the HTTP header where the SSO agent sends the user name into the SecureChange configuration. Contact your SSO system administrator to get the name of the HTTP header.

Do not install any SSO components on the TOS server.

This feature is not available for installations that use Internal SSO Authentication.

Configure a Connection to an SSO client

  1. Go to: Settings > Authentication > SSO
  2. Select Enable Single sign-on.
  3. Enter the HTTP header field for the user name.

    By default, the header field is: HTTP_SM_USER

  4. Click Save.
  5. Configure the default authentication method or configure the authentication method for specific users.

    • Default authentication - Go to Settings > Authentication > General and select SSO as the default authentication method.
    • User authentication - Go to Settings > Users, select a user, and, in the user Details tab, select SSO from the list of available authentication methods.
If SecureChange SSO is not configured, an alert icon is displayed ().

How Do I Get Here?

SecureChange > Settings > Authentication > SSO