Appendix L - Implementing Spectrum Single Sign-on (SSO)
Spectrum Spatial Analyst now provides single sign-on (SSO) leveraging the Spectrum™ Technology Platform SSO implementation and Active Directory Federation Services (AD FS). SSO allows logged-in users to access Spectrum Spatial Analyst, Spectrum Spatial Analyst Administration console and Spectrum™ Technology Platform Web-based services with one set of credentials. AD FS allows the sharing of trusted party information, seamlessly, using cookie-based authentication.
For more information refer to Implementing Spectrum Single Sign-on (SSO) section in Spectrum™ Technology Platform administration.
Configuration assumptions and SSO deployment checks
The system administrator must complete the following tasks before enabling SSO in SSA and make the necessary security changes.
- the deployment of the ADFS server
- SSO configuration in Spectrum™ Technology Platform
Server configuration for SSO support
Pre-requisites
- HTTPS communication configuration between SSA and Spectrum spatial, and
- Configuration of HTTPS communication with SSA
Set Analyst Login URL
You need to configure the SSO login URL for Analyst in the following file using a text editor -
<serverinstallationlocation>customerconfigurations/_global_/controller.properties
Please amend the entry for the sso.start.url
as follows:
sso.start.url=#ognl("@spectrum_server/sso-integration/?externalapp=y&relaystate="
+requestAttributes["original_request_uri"]
+"/security-check?TargetResource="
+urlEncode(requestAttributes["original_request_uri"])
+insertLocale("&"))
slo.start.url
should be left unchanged.Set Administration console Login URL
You need to configure SSO login URL for administration console in the following file-
<serverinstallationlocation>/customerconfigurations/_global_/adminconsole.properties
Please amend the entry for the auth.sso.start.url
as follows-
auth.sso.start.url=${spatialserver.rest.baseurl}/managementconsole/
?externalapp=y&relaystate=${adminconsole.externalUrl}/
@{tenant}/security-check?TargetResource=@{originalUriEncoded}
Ensure that the entry for adminconsole.externalUrl
in the following file
is set to the correct HTTPS URL of either Admin console node or corresponding reverse
proxy/front load balancer if deployed.
<serverinstallationlocation>/customerconfigurations/_global_/shared.propertes
Enabling Guest access
If you wish to enable guest access, ensure that you have completed the configuration - Adding a Guest Role and User for Guest Access
Managing Idle Session timeout
Managing and mapping roles
Known Issues & Limitations
If you are logged in to Analyst and Admin Console and you sign out of one of the applications, your subsequent request to SSA may fail. To continue your work, please start a fresh session with SSA.