Internal SSO Authentication

Overview

TOS internal SSO authentication allows users to log in once to all TOS components (SecureTrack, SecureChange, SecureApp, and extensions), using the same credentials. This allows you to have the different TOS components open in separate browser tabs, and move seamlessly between the applications using the same credentials. If you log out of an application on one tab, all open applications will also log out.

If TOS internal SSO is enabled, local users must be defined in both SecureChange and SecureTrack with the same user name. Passwords must be defined on both SecureTrack and SecureChange. When the user accesses TOS via the GUI, only the password defined on SecureTrack will be considered. The password defined on SecureChange will be used when this local user uses the SecureChange API.

TOS internal SSO authentication is only available for users who access TOS applications through the user interface; users who access TOS only though API calls require separate login credentials for each application.

Each user must have the same unique user name on all repositories ( for example, TOS Keycloak, SecureChange, LDAP, SAML, RADIUS). Authentication is done by Keycloak for all TOS applications, while authorization is done by SecureTrack and SecureChange independently.

To receive email notifications, after the initial SSO login you must provide administrator’s email address in the SecureChange settings page under Settings > GENERAL > Mail Notifications:

TOS SSO authentication allows SecureChange users to be authenticated with LDAP, RADIUS, SAML, or TACACS+. Although users can be authenticated by any one of the external servers, authorization for SecureChange users is only possible through their LDAP profile. This means that after a user is externally authenticated, SecureChange must have access to their LDAP profile to authorize them and complete the login process.

This feature is not available for installations that use external authentication for SecureChange.

If you are using external SAML authentication, when activating TOS SSO, the SecureTrack Administrator must manually add all the SAML authenticated users into SecureTrack, and assign them roles before they log in for the first time.

Enabling TOS SSO

TOS internal SSO is enabled by default when TOS is installed. If you have subsequently disabled it, it can be enabled by running the following command by a user with TOS Admin privileges:

Running this command disables the user interface for a short time.
[<ADMIN> ~]$ sudo tos config set -p tos.sso.enabled=true
sudo tos config set -p tos.sso.enabled=true

When TOS SSO is enabled, a single TOS login screen is shown for both SecureTrack and SecureChange.

Disabling TOS SSO

Run the following command with TOS Admin privileges:

Running this command disables the user interface for a short time.
[<ADMIN> ~]$ sudo tos config set -p tos.sso.enabled=false
sudo tos config set -p tos.sso.enabled=false

When TOS SSO is disabled, there are separate login screens for SecureTrack and SecureChange.