Appendix L - Implementing Spectrum Single Sign-on (SSO)

Spectrum Spatial Analyst now provides single sign-on (SSO) leveraging the Spectrum™ Technology Platform SSO implementation and Active Directory Federation Services (AD FS). SSO allows logged-in users to access Spectrum Spatial Analyst, Spectrum Spatial Analyst Administration console and Spectrum™ Technology Platform Web-based services with one set of credentials. AD FS allows the sharing of trusted party information, seamlessly, using cookie-based authentication.

For more information refer to Implementing Spectrum Single Sign-on (SSO) section in Spectrum™ Technology Platform administration.

Configuration assumptions and SSO deployment checks

The system administrator must complete the following tasks before enabling SSO in SSA and make the necessary security changes.

Ensure that the system administrator has completed-
  • the deployment of the ADFS server
  • SSO configuration in Spectrum™ Technology Platform

Server configuration for SSO support

Pre-requisites

Your SSA server must be HTTPS enabled before setting up the configurations in this section. Ensure that following two steps are completed:
  1. HTTPS communication configuration between SSA and Spectrum spatial, and
  2. Configuration of HTTPS communication with SSA
If you are new to Spectrum Spatial Analyst, it may be helpful to review these topics:

Set Analyst Login URL

You need to configure the SSO login URL for Analyst in the following file using a text editor -

<serverinstallationlocation>customerconfigurations/_global_/controller.properties

Please amend the entry for the sso.start.url as follows: 

sso.start.url=#ognl("@spectrum_server/sso-integration/?externalapp=y&relaystate="
+requestAttributes["original_request_uri"]
+"/security-check?TargetResource=" 
+urlEncode(requestAttributes["original_request_uri"])
+insertLocale("&"))
Note: The entry for slo.start.url should be left unchanged.

Set Administration console Login URL

You need to configure SSO login URL for administration console in the following file-

<serverinstallationlocation>/customerconfigurations/_global_/adminconsole.properties

Please amend the entry for the auth.sso.start.url as follows-

auth.sso.start.url=${spatialserver.rest.baseurl}/managementconsole/
?externalapp=y&relaystate=${adminconsole.externalUrl}/
@{tenant}/security-check?TargetResource=@{originalUriEncoded}

Ensure that the entry for adminconsole.externalUrl in the following file is set to the correct HTTPS URL of either Admin console node or corresponding reverse proxy/front load balancer if deployed.

<serverinstallationlocation>/customerconfigurations/_global_/shared.propertes

Enabling Guest access

If you wish to enable guest access, ensure that you have completed the configuration - Adding a Guest Role and User for Guest Access

Managing Idle Session timeout

SSA, Spectrum platform and ADFS has separate session management. In SSA you can define the session inactivity period in the Settings tab of the administration console.
Note: For setting the inactivity period on Spectrum platform, refer to Manage AD FS session timeout properties. As a best practice, it is recommend to define all of these properties, with the same timeout value.

Managing and mapping roles

For creating roles, please refer to Users and Roles used by Spectrum Spatial Analyst. After you have created the roles in Spectrum, you may need to map the roles to AD groups.
Note: For more details refer Mapping SSO_STS roles to Spectrum™ Technology Platform roles in Spectrum administration guide.

Known Issues & Limitations

If you are logged in to Analyst and Admin Console and you sign out of one of the applications, your subsequent request to SSA may fail. To continue your work, please start a fresh session with SSA.