Single Sign-On (SSO)

Single Sign-On is designed to restrict users from using different PCs with the same user name. It is transparent to the user; there are no specific messages associated with it. When registering to a new farm or editing an existing farm having Windows Authentication selected, the following message is displayed in case of failure: Windows Authentication Failed. You must enter the user and the password.

SSO works alongside the current/existing Symphony authentication process. Windows authentication is more secure than Symphony authentication; it makes use of the built-in Windows security system. Communication between client and server is made through a WSE 3.0 SOAP Web Service.

 

If users need their registered farms available on any machine on the domain, they must enable roaming user profile (Windows).

Symphony does not support cross-domain authentication for SSO.
SSO is designed to restrict users from using different PCs with the same user name; however, a user may inadvertently log on multiple times on the same PC.

 

Process Flow

1.      When Symphony Client connects to a farm, it creates a security token, based on the identity of the currently logged-in Windows user; the user MUST have logged-in on the domain account.

2.      The security token is sent to the farm/server for authentication.

3.      Farm/server verifies that the token is valid and determines the domain account associated with it.

4.      Upon success, farm/server sends a session ID back to the client.

5.      On failure, the client’s farm state changes to Unauthorized.

6.      In case of failure, the user can login using Symphony credentials:

a.      In Symphony Client, right-click your farm in Server List.

b.      Select Edit. The Server Login Information dialog box opens.

c.  Disable single sign-on: clear the Windows Authentication check box.

d.      Click OK.

e.      Enter user name and password.

 

Multiple Symphony Clients on a single Windows login (each registered with a different user) are needed to run Live Ban. As such, Single Sign On will not be available for Video Walls when also running Live Ban.

 

Prerequisites

The Single Sign On feature uses the client’s domain identity to authenticate to the server; therefore, the client and the server must be in the same security realm. As such, the Single Sign On feature is available only when:

       Client and server machines are logged on to the same domain, and

       The user logs on to the client machine as a domain user by using the domain credentials. (A user can log on to a machine locally in which case the Single Sign On feature is not available.)

On domains controlled by Windows Server 2008 (or later) and clients running Vista/Windows 7:

       AES256_HMAC_SHA1 encryption must be disabled because it cannot be handled by the WSE 3.0 used by Single Sign On. This policy must be enforced by the domain controller and must be set by the IT personnel in charge of the domain.

Enabling Single Sign-On (SSO)

       Client (or manually) enable single-sign on

       Client, change the storage path for the farm registration to a network server

Task 1:  In Symphony Client (or manually) enable single-sign on

To enable or disable single sign-on in Symphony Client:

1.      In Symphony Client, right-click your farm in the Server List.

2.      Select Edit. The Server Login Information dialog box opens.

        To enable single sign-on, select the Windows Authentication check box.

        To disable single sign-on, clear the Windows Authentication check box.

3.      Click OK.

To enable single sign-on manually:

1.      Edit %APPDATA%\Aimetis\RegisteredFarms.xml.

Example:

<RegisteredFarms>

     <Farm ID="74083">

         <Encryption>6.2</Encryption>

          <Alias>10.234.10.76</Alias>

         <SpecifiedAddress>10.234.10.76</SpecifiedAddress>

         <UserName>MVYlTEIRRUhQ</UserName>

          <Password>kjdflasdkjflakj</Password>
      <UseWindowsAuthentication>false </UseWindowsAuthentication>

          <Addresses>

               <Address>

                 <SpecifiedAddress>10.222.10.73</SpecifiedAddress>

                 <IP>10.222.10.73</IP>

                 <Port>50001</Port>

               </Address>

          </Addresses>

     </Farm>

</RegisteredFarms>

2.      Under <Farm ID = “number”>,

        To enable single sign-on set
<UseWindowsAuthentication>true </UseWindowsAuthentication>

        To disable single sign-on set
<UseWindowsAuthentication>false </UseWindowsAuthentication

Task 2:  In Symphony Client, change the storage path for the farm registration to a network server

To ensure that farm registration information is stored on a network server:

1.      From the View menu, select Settings. The Symphony Client Settings dialog box opens.

2.      Click the Global tab.

3.      Select the Custom path to farm registration check box.

4.      In the next field enter the path on the network where the registration information will be stored for all roaming users.

        The network server storing all the farm registrations must be accessible from all Clients.

        This is a global setting. All users that login to this Client will use this setting. Use the %WINUSER% variable when configuring this path so that each user has a unique path where the farm registration is stored. The user must have Windows “modify” rights to this folder. This is set only once on each Client machine.

It is a security risk to have multiple users share a farm registration.