Applies to NAM 2018+
This is a broad overview of how single sign-on (SSO) works in your NAM deployment. If you are deploying NAM and configuring SSO, start with SSO network configuration requirements to make sure your network and your NAM deployment are ready for SSO.
NAM sign-on is now much simpler.
Before NAM 2018, you had to sign on to each component separately: first to the NAM Console and then separately to each NAM Server or other NAM component in your deployment.
Now you sign on just once to any NAM component and you are transparently granted access to the other components in the deployment.
- For terminology help, see SSO terminology.
- If you are a DC RUM user coming to NAM 2018, see How user authentication has evolved in NAM to orient yourself to NAM 2018 authentication.
In the default configuration, the latest NAM uses SAML 2.0 to manage user credentials within your NAM deployment. The IdP is your NAM Console, and all sign-on activity from your NAM Servers goes through your NAM Console. Starting with NAM 2018, this is the minimal SSO configuration.
Console sign-on in default configuration:
Server sign-on in default configuration:
In this configuration, when you sign on to any component in your deployment (NAM Console or a NAM Server), you enter a user name and password and then manage the component. From your point of view, this is apparently the way NAM (formerly DC RUM) has always behaved. But behind the scenes, every sign-on request is forwarded to the NAM Console.
You feel the difference when you go to manage other components in your deployment. In earlier releases, you had to provide separate credentials for the NAM Console and for each NAM Server in your deployment. Now you need to sign on just once (that's why it's called "single sign-on") to one of those components. When you go to manage any other component after that, NAM gives you immediate access because you already signed on for the first component, and those credentials were passed to the NAM Console.
Why you might want to stay with the default configuration:
It requires little configuration and it is totally transparent to you at sign-on. Just use NAM starting with release 2018, and make sure you follow the SSO network configuration requirements.
The default uses no links outside NAM.
If your work environment does not permit an external IdP, the default is the correct option for you. All SSO traffic is limited to communication between the NAM components in your deployment. There is no external site involved (unless you install a NAM component externally).Note
Because default SSO is managed by the NAM Console, it still requires communication traffic between the NAM Console and any other components in your deployment.
Optional: SSO with external IdP
If you choose to, you can configure NAM to instead use an external "identity provider" ("IdP"). The external service would then provide SSO for your NAM deployment.
Console sign-on with external IdP:
Server sign-on with external IdP:
In this configuration, when you sign on to a NAM Server, your sign-on request is still passed to the NAM Console as in the default configuration, but now the NAM Console passes the authentication request to the external provider for authentication.
See Using an external identity provider for configuration details.