Page tree

Windows SSO

Single Sign-On allows users to access their  Agiloft knowledgebase with a hyperlink. The link, which is verified against LDAP, uses the user's Windows session login to access the system.

This feature uses an Active X control, so the following conditions are required:

  • Use the required browser, Internet Explorer 5.0+
  • Server must be included in the browser's list of trusted sites
  • The user's Windows login name must be the same as their  Agiloft login

If these conditions met, the user can instantly login using the following URL: http://SERVER:8080/gui2/sso.jsp?autoLogin=true&project=KB_NAME&State=Main

System Setup

  1. Click the Setup gear in the top-right corner and go to Access > Single Sign-On.

  2. Set Enable LDAP Single Sign-On to Yes.
  3. Select and configure either a domain name or IP address range:

    • Enter the trusted domain name, so that users coming from this domain can use single sign-on. This option is most useful if the system is within your firewall.

    • Enter a range of trusted IP-addresses, so that users coming from these addresses can use single sign-on. This option is very useful if you are accessing the system from across a firewall / NAT since, from the perspective of the system, all your users will appear to come from a single IP address. It can also be used if the system is within your firewall.

  4. Select any groups you want to exclude from single-sign on. Usually, this is used to make sure users with extensive permissions, such as administrators, are always manually authenticated.
  5. Select an authentication method.
  6. If desired, select the option to validate the login password against the password in the Active Directory database.

If you want to use Windows SSO when users click hyperlinks from within an email, complete these steps as well:

  1. Go to Setup > System > Manage Global Variables.
  2. Go to the Variables with Default Values tab.
  3. Edit the Hotlink Type global variable.
  4. Set the Global Variable Value to OTHER_SSO.

Force SSO Login

To force users to log in with SSO, you can prevent them from accessing Agiloft with their username and password. Follow the steps below to make the Password field optional in the Employees table and then remove passwords for employees who should log in with SSO.

  1. First, make the Password field optional in the Employees table:
    1. Go to Setup Employees and go to the Fields tab.
    2. Edit the Password field and go to the Options tab.
    3. Find the Make this a required field setting and change the value from Yes to No.
    4. Click Finish to save the change.
  2. Next, for employees who should always use SSO to log in, reset their passwords to a null value:
    1. Go to the Employees table and select each user who should use SSO from this point on.
      Don't select every user in your system. It's best to leave at least one administrator unchanged, if not the whole admin team, in case you encounter SSO issues in the future that prevent users from logging in with SSO.
    2. Click Edit Fields in the action bar.
    3. Select Password, then click Next.
    4. On the Update tab, select A formula.
    5. In the Password field, enter the variable $global.null and click Next.
    6. On the Confirm tab, clear the Run rules and Update defaults checkboxes, then click Finish.
  3. Lastly, go to Setup > System > Manage Global Variables.
  4. On the Customized Variables tab, look for the Hotlink Type variable. If it has been customized, edit it and reset it to the default value of STANDARD.
    You might also notice an SSO Authentication Method setting in the People table. This field is set automatically by the system when you enable SSO and should not be modified.

Now, users whose passwords were reset can only log in with SSO.