Identacor Desktop SSO Overview
Identacor includes an integration with Active Directory called Desktop Single Sign On (SSO). This means that a user signed in to your Active Directory domain can sign in to Identacor simply by navigating to the Identacor app. The following explains the Desktop SSO process and shows you how to install and configure the Identacor Desktop SSO Agent.
Desktop SSO Authentication Process
- A user browser navigates to your Identacor subdomain: https://company.startsso.com
- Identacor detects the IP address of the requesting browser and checks for a match in your Desktop SSO configuration range.
- If Desktop SSO is enabled and the IP address of the user matches the IP range configured in the Desktop SSO configuration settings, Identacor starts the Desktop SSO process, by redirecting to your IIS server.
- If the IP of the requesting browser does not match, the user is directed to the login page.
- The IIS auth script knows how to authenticate the user either by Windows domain credential or user type username and password.
- The user is authenticated to Active Directory by IIS and IIS redirects back to Identacor with the user's identity information (email address included).
- Identacor authenticates the user based on the email address
1. Installation and Configuration Steps
- Windows Server 2008 R2 server
- Internet Information Services (IIS) 6.0 or Higher
- Microsoft .Net Framework 4
2. Installation - Identacor Desktop SSO Agent
Naviate to the Desktop SSO Management page e.g., https://company.startsso.com//Admin/DesktopSSO.
3. Desktop SSO Settings
Clients using Desktop SSO will be allowed access through IP address authentication.
Enter a range for the allowed client IP address range. When Identacor detects an IP address in the allowed range, it will use Windows Authentication to check Active Directory.
You will need to enter the IIS server URL that will be used to access the Desktop SSO agent.
You will also need to generate and note down the token that will be required for the Desktop SSO agent configuration.
Download the Identacor Desktop SSO agent by clicking on the download link below. Once you save the installer, you will move it to your IIS server. Your IIS server must be accessible by the internet and your Active Directory.
4. Desktop SSO Installation
From your IIS server, open Windows Explorer and navigate to the location of the MSI file.
Right-click the file and select Open.
Click Run to continue. Note: the Open File Security Warning occurs when you open or run a dowloaded file from the internet or another computer on your computer.
Follow the onscreen instructions to finish installing and configuring the Identacor Desktop SSO agent. Click Next to continue.
To install the Desktop SSO agent, you must accept the lciense agreement. Select the I Agree option and click Next.
On the Welcome step of the wizard, click Next to start the installation.
To enter the token, copy and paste the authentication token from the Desktop SSO settings page.
Enter the Identacor domain that you want to set up Desktop SSO for.
Enter the administrative credentials of the account under which you want to run the Identacor Desktop SSO agent and service. The username should be specified in the User Principal name (UPN) format.
The installation begins.
When the installation completes, click Next to exit the setup wizard.
The Identacor Desktop SSO Agent service is now started.
5. Browser Compatibility
To configure Desktop SSO, your browser may be required to enable NTLM authentication. NTLM is already supported for Safari, Chrome and Internet Explorer.
NTLM authentication in Firefox is supported with the following configuration.
6. Desktop SSO Testing Procedure
On your computer, open Internet Explorer. Navigate your Identacor login page URL e.g., https://company.startsso.com. You should land on the Identacor Application Portal Page.