LDAP and SSO Configurations
The DSG is dependent on the ESA for user management. The users that are part of an organization AD are configured with the ESA internal LDAP.
If your organization plans to implement SSO authentication across all the Protegrity appliances, then you must enable SSO on the ESA and the DSG. The DSG depends on the ESA for user and access management and it is recommended that user management is performed on the ESA.
Before you can configure SSO with the DSG, you must complete the prerequisites on the ESA.
For more information about completing prerequisites on the ESA, refer to section Implementing SSO on DSG in the Protegrity Appliances Overview Guide 9.2.0.0.
After completing the prerequisites, ensure that the following order of SSO configuration on the DSG nodes is followed.
- Enable SSO on the DSG node.
- Configure the Web browser to add the site to trusted sites.
- Login to the DSG appliance.
Enabling SSO on DSG
This section provides information about enabling SSO on the DSG nodes. It involves setting the ESA FQDN and enabling the SSO option.
Before SSO is enabled, ensure that the following prerequisite is completed.
- Ensure that the ESA FQDN is available.
To enable SSO on the DSG node:
Login to the DSG Web UI.
Navigate to Settings > Users.
Click the Advanced tab.
In the Authentication Server field, enter the ESA FQDN.
Click Update to save the server details.
Click the Enable toggle switch to enable the Kerberos SSO.
Repeat the step 1 to step 6 on all the DSG nodes in the cluster.
Configuring SPNEGO Authentication on the Web Browser
Before implementing Kerberos SSO for Protegrity appliances, you must ensure that the Web browsers are configured to perform SPNEGO authentication. The tasks in this section describe the configurations that must be performed on the Web Browsers. The recommended Web browsers and their versions are as follows:
- Google Chrome version 84.0.4147.135 (64-bit)
- Mozilla Firefox version 79.0 (64-bit) or higher
- Microsoft Edge version 84.0.522.63 (64-bit)
The following sections describe the configurations on the Web browsers.
Configuring SPNEGO Authentication on Firefox
The following steps describe the configurations on Mozilla Firefox.
To configure on the Firefox Web browser:
Open Firefox on the system.
Enter about:config in the URL.
Type negotiate in the Search bar.
Double click on network.negotiate-auth.trusted-uris parameter.
Enter the FQDN of the appliance and exit the browser.
Configuring SPNEGO Authentication on Internet Explorer
The following steps describe the configurations on Internet Explorer 11.
To configure on the Internet Explorer Web browser:
Open Internet Explorer on the machine
Navigate to Tools > Internet options > Security .
Select Local intranet.
Enter the FQDN of the appliance under sites that are included in the local intranet zone.
Select Ok.
Configuring SPNEGO Authentication on Chrome
With Google Chrome, you must set the white list servers that Chrome will negotiate with. If you are using a Windows machine to log in to the appliances, then the configurations entered in other browsers are shared with Chrome. You need not add a separate configuration.
Logging to the Appliance
After configuring the required SSO settings, you can login to the DSG using SSO.
To login to the DSG using SSO:
Open the Web browser and enter the FQDN of the DSG in the URL.
The following screen appears.
Click Sign in with SSO.
The Dashboard of the DSG appliance appears.