Single sign-on (SSO)

Applies to NAM 2018

This is a broad overview of how single sign-on (SSO) works in your NAM deployment. If you are deploying NAM and configuring SSO, start with SSO network configuration requirements to make sure your network and your NAM deployment are ready for SSO.

NAM sign-on is now much simpler.

Before NAM 2018, you had to sign on to each component separately: first to the NAM Console and then separately to each NAM Server or other NAM component in your deployment.

Now you sign on just once to any NAM component and you are transparently granted access to the other components in the deployment.

Default configuration

In the default configuration, the latest NAM uses SAML 2.0 to manage user credentials within your NAM deployment. The IdP is your NAM Console, and all sign-on activity from your NAM Servers goes through your NAM Console. Starting with NAM 2018, this is the minimal SSO configuration.

Console sign-on in default configuration:
NAM Console authentication: internal

Server sign-on in default configuration:
NAM Server authentication: internal

In this configuration, when you sign on to any component in your deployment (NAM Console or a NAM Server), you enter a user name and password and then manage the component. From your point of view, this is apparently the way NAM (formerly DC RUM) has always behaved. But behind the scenes, every sign-on request is forwarded to the NAM Console.

You feel the difference when you go to manage other components in your deployment. In earlier releases, you had to provide separate credentials for the NAM Console and for each NAM Server in your deployment. Now you need to sign on just once (that's why it's called "single sign-on") to one of those components. When you go to manage any other component after that, NAM gives you immediate access because you already signed on for the first component, and those credentials were passed to the NAM Console.

Why you might want to stay with the default configuration:

  • It requires little configuration and it is totally transparent to you at sign-on. Just use NAM starting with release 2018, and make sure you follow the SSO network configuration requirements.

  • The default uses no links outside NAM.
    If your work environment does not permit an external IdP, the default is the correct option for you. All SSO traffic is limited to communication between the NAM components in your deployment. There is no external site involved (unless you install a NAM component externally).

    Note

    Because default SSO is managed by the NAM Console, it still requires communication traffic between the NAM Console and any other components in your deployment.

Optional: SSO with external IdP

If you choose to, you can configure NAM to instead use an external "identity provider" ("IdP"). The external service would then provide SSO for your NAM deployment.

Console sign-on with external IdP:
NAM Console authentication: external

Server sign-on with external IdP:
NAM Server authentication: external

In this configuration, when you sign on to a NAM Server, your sign-on request is still passed to the NAM Console as in the default configuration, but now the NAM Console passes the authentication request to the external provider for authentication.

See Using an external identity provider for configuration details.

More on SSO in NAM