Page tree

Windows SSO

Windows single sign-on (SSO) allows users to access Agiloft with a hyperlink that is verified against LDAP and uses their Windows session login to access the system.

This feature uses Active X control, so the following conditions must be met:

  • The Agiloft server must be included in the browser's list of trusted sites.
  • The user's Agiloft Login must be the same as their Windows login.

System Setup

  1. Go to Setup > Access > Single Sign-On.
  2. Set Enable LDAP Single Sign-On to Yes.
  3. Select and configure either a domain name or IP address range:
    • If you want to enable access by domain name so all users coming from the domain can use SSO, select Domain name under Windows Domain Name and Enter the trusted domain name. This option is most useful if the system is within your firewall.
    • If you want to enable access by trusted IP address range so users coming from that range can use SSO, select IP range and enter the beginning and end of the range in the From and To fields. This option is useful if you are accessing the system from outside of the firewall. It can also be used if the system is within your firewall.
  4. Select any groups you want to exclude from SSO. Usually, this option is used to make sure users with extensive permissions, such as administrators, are always manually authenticated.
  5. Select an authentication method.
  6. If desired, select the option to validate the login password against the password in Active Directory.

If you want to use Windows SSO when users click hyperlinks from within an email, complete these steps as well:

  1. Go to Setup > System > Manage Global Variables.
  2. Go to the Variables with Default Values tab.
  3. Edit the Hotlink Type global variable.
  4. Set the Global Variable Value to OTHER_SSO.

Log in with SSO

Once the integration is complete, users can access Agiloft with Windows SSO. Follow the steps below to create the Windows SSO login URL and share it with your users.

  1. Create a URL in the following form:

    http://DOMAIN_NAME/gui2/sso.jsp?autoLogin=true&project=KB+NAME&State=Main

  2. In the URL, replace DOMAIN_NAME and KB+NAME with the values for your system. Use a plus sign (+) in place of any spaces in the KB name. For example:

    http://example.agiloft.com/gui2/sso.jsp?autoLogin=true&project=Example+KB+Name&State=Main

  3. Go to the new URL in a browser. If you are already authenticated with the IdP, you're forwarded directly to the Agiloft user interface. If you're not logged in to the IdP, you're forwarded to the IdP login page.
  4. Depending on how you want users to access Agiloft, you can choose one or more of the following options:
    • Send the URL to all users who should log in via SP-initiated SSO and ask them to bookmark it or add it to their favorites.
    • Add the URL to an existing webpage if you use a custom login method. Then direct users to that page.
  5. For logins from Agiloft Contract Assistant applications, tell users to use their Windows username and password.
  6. Finally, to make sure users can't circumvent SSO and log in to Agiloft directly, follow the instructions in Force SSO Login below.

Force SSO Login

To force users to log in with SSO, you can prevent them from accessing Agiloft with their username and password. Follow the steps below to make the Password field optional in the Employees table and then remove passwords for employees who should log in with SSO.

  1. First, make the Password field optional in the Employees table:
    1. Go to Setup Employees and go to the Fields tab.
    2. Edit the Password field and go to the Options tab.
    3. Find the Make this a required field setting and change the value from Yes to No.
    4. Click Finish to save the change.
  2. Next, for employees who should always use SSO to log in, reset their passwords to a null value:
    1. Go to the Employees table and select each user who should use SSO from this point on.
      Don't select every user in your system. It's best to leave at least one administrator unchanged, if not the whole admin team, in case you encounter SSO issues in the future that prevent users from logging in with SSO.
    2. Click Edit Fields in the action bar.
    3. Select Password, then click Next.
    4. On the Update tab, select A formula.
    5. In the Password field, enter the variable $global.null and click Next.
    6. On the Confirm tab, clear the Run rules and Update defaults checkboxes, then click Finish.

Now, users whose passwords were reset can only log in with SSO.

If you also allow some external users to log in with SSO, repeat the process for the External Users table.