Managing Single Sign On options

Automatic login to aPriori allows users to authenticate once and thereafter start aPriori without the need for re-entering username and password, for as long as the authentication is valid. As of Release 2018 R1, aPriori Professional provides two approaches to automatic logins:

• Through LDAP authentication with Kerberos (see LDAP Authentication earlier in this chapter)

• By enabling the Allow Single Sign On checkbox at the top of the aPriori System Administrator Users tab (see the rest of this section)

Note: Prior to Release 2018 R1, aPriori automatically logged users in if their aPriori credentials matched their Windows credentials. This default behavior (and any other automatic log in approach that may have been implemented for your installation) has been discontinued as of 2018 R1 and should be replaced by the current approaches.

Single Sign On (SSO) allows a user to log into their computer once and then log into other applications and data sources to which they have access, without the need to re-enter their credentials each time. For example, a user can log into the Windows operating system on their laptop, and then start aPriori without an additional login.

aPriori SSO requires that your environment uses Active Directory with Kerberos authentication caching enabled (typical for a modern Windows environment).

To enable or disable SSO, use the Allow Single Sign On checkbox at the top of the Users tab. This setting is enabled (checked) by default.

$C:\Users\bfrederick\OneDrive - aPriori\svn\aPriori_2018_R1_SP1\System Admin Guide\Images\SAG_18_1_users_admin_pane_with_arrow.png$

Once SSO is enabled, the exact behavior your users will see when starting aPriori depends on how they log into your company’s authentication environment. Here are three common environments:

• Domain Login – The user logs into their laptop (working from the office, or at home and logged into the company’s VPN). In this case their credentials are validated using Windows Authentication (Kerberos + Active Directory). When they start aPriori it uses their cached credentials which are retrieved from the Windows Operating System. aPriori uses this ID to find a valid cached Kerberos ticket and then it validates that the user is a licensed user in the aPriori user database. This works if the user’s aPriori login id matches their Windows username.

• Local Login – The user logs into their laptop (working at home but not logged into the VPN). In this case their credentials are authenticated by the local system using the SAM (Security Accounts Manager). When they try to start aPriori, it will not find a valid Kerberos ticket. The aPriori log in screen appears and the user is required to enter their username and password.

Note: This description is a little over-simplified. There are situations where a user can log in successfully as an SSO user to aP Professional even when disconnected from the VPN and fully disconnected from the network. If they had connected earlier and obtained a valid Kerberos ticket (and their DB is local to their install), they may be able to login in again without connecting through VPN if the ticket has not yet expired (typically 10 hours).

• Remote Login – The user uses Remote Desktop Connection to log in to another computer or VM within the company’s firewall. In this case the remote system is on the internal network and the credentials the user enters when logging in remotely will be authenticated through the domain controller. This behaves the same as Domain Login above: when the user starts aPriori, they do not need to re-enter their credentials.

Note: Remote Desktop users should sign off rather than disconnect from the Remote Desktop Connection. A disconnect can result in zero cached tickets for the next login to the Remote Desktop. – Causing SSO to behave unexpectedly for the user.

Note: You should educate your users that when they work remotely, they must be logged into the company VPN or else they will typically need to enter their aPriori credentials. This can be confusing to users who only rarely work remotely, since they typically do not need to enter aPriori credentials and may not even remember them when they are unexpectedly prompted for them.