Document toolboxDocument toolbox

(12.5-en) Single Sign-On in IGEL OS 12

Single Sign-On (SSO) is an authentication method that can be used via a cloud-based identity provider (IdP) to access the local device and apps. This article describes the options used for configuring SSO in IGEL OS.

See (12.5-en) How to Configure Single Sign-On (SSO) on IGEL OS 12 for a detailed description of the entire SSO configuration process.


Menu path: Security > Logon > Single Sign-On

0f091b60-b62c-4c2c-8e5c-50d1ef68aeed.png

 

 

Single Sign-On with identity provider

☑ SSO is used as the authentication method. 

To have a fallback option if something goes wrong with SSO, e.g. a network failure, it is recommended to configure local login in addition under Security > Logon > Local User. For more information, see (12.5-en) Local User Login in IGEL OS 12 .

☐ SSO is not used. (Default)

 

Identity provider

The identity provider used for the SSO configuration.

Possible options:

  • Microsoft Entra ID

  • Okta

  • OpenID Connect

  • Ping Identity | PingOne

  • VMware Workspace ONE Access

Identity Provider Is Set to "Microsoft Entra ID"

Microsoft Entra ID

The value you have obtained as Directory (tenant) ID in the Microsoft Entra ID Portal.

Application (client) ID

The value you have obtained as Application (client) ID in the Microsoft Entra ID Portal.

 

Client secret

The client secret that was created in the Microsoft Entra ID Portal. 

 

Identity Provider Is Set to "Okta"

Okta URL

The URL of the Okta identity provider.

 

Client ID

The client ID that was created in Okta.

 

Client secret

This is a value created by the identity provider. The value can be copied from the Identity Provider Admin Console.

Identity Provider Is Set to "OpenID Connect"

This option can be used for various identity providers that support OpenID Connect.

Issuer URL

The URL at the identity provider's site where the OpenID configuration document for your application can be found. This is the part of the path that precedes /.well-known/openid-configuration

 

Client ID

The client ID that is registered in your identity provider.

 

Client secret

The client secret that has been created by your identity provider.

Identity Provider Is Set to "Ping Identity | PingOne"

PingOne issuer URL

The URL at the Ping Identity / PingOne site where the OpenID configuration document for your application can be found. This is the part of the path that precedes /.well-known/openid-configuration

 

Client ID 

The client ID that is registered in Ping Identity / PingOne for your application.

 

Client secret

The client secret that has been created in Ping Identity / PingOne for your application.

Identity Provider Is Set to "VMware Workspace ONE Access"

Workspace ONE Access issuer URL

The URL at the Workspace ONE Access site where the OpenID configuration document for your client can be found. This is the part of the path that precedes /.well-known/openid-configuration

 

Client ID

The client ID that is registered in Workspace ONE Access for your client.

 

Client secret

The client secret that has been created in Workspace ONE Access for your client.

Federated Identity Across IdPs

A federation can be set up between IdPs. For example, if Okta and Microsoft Entra ID are federated, Okta offers access/authentication against Microsoft Entra ID and vice versa. In the case of federated IdPs, the login screen contains a host that differs from the primary IdP. As IGEL OS only allows the primary IdP by default (e.g. “login.microsoftonline.com“), you must explicitly allow any further hosts.

List of allowed hosts for redirection

Hostnames that will be allowed by IGEL OS

Format:

  • Only the hostnames (no protocol specification, like “https://”)

  • Several entries are separated by semicolons “;”

Example: “login.microsoftonline.com”

Scopes for OpenID Connect

You can define a list of scopes to which the client will request access. In addition to the standard scopes of OpenID Connect, custom scopes can be defined.

OpenID Connect scope

List of OpenID Connect scopes to which the client will request access

Format:

  • Space separated list

  • US ASCII only, no special characters or spaces within one scope

Example: “openid profile email custom_scope“

Automatic Desktop Login

As an alternative to the interactive desktop login, predefined user credentials can automatically be provided to the IdP on startup. The credentials are stored securely on the endpoint device.

  • In this version of IGEL OS, only login via username and password is supported; multi-factor authentication (MFA) is not supported.

  • Please be aware that after the automatic desktop login, a fully unlocked desktop session will run on your endpoint device. This feature should only be used for use cases where no interactive login is possible. It is good practice to restrict this user's access to only the relevant components and data that are necessary for the specific use case.

Automatic login is available for the following IdPs:

  • Okta

  • Microsoft Entra ID (formerly known as Microsoft Azure AD)

  • Ping Identity | PingOne

  • VMware Workspace ONE Access

Automatically perform login

☑ After startup, the endpoint device performs the login automatically using the Username for autologin and the Password for autologin.

Username for autologin

The name of a user known to the IdP used.

 

Password for autologin

The password of the user provided in Username for autologin.