Single Sign On

Niagara has an extensible Single Sign On (SSO) framework that can support many types of SSO. For example, the Kerberos scheme is an SSO scheme. SAML (Security Assertion Markup Language) SSO is the main supported SSO scheme and the focus of this topic.

SSO is an access control method that allows for automatic logging in to multiple related, but independent software systems. In the current implementation, SSO works via a browser connection to a station. When accessing multiple stations configured for SSO you are required to enter credentials only once to access all stations. SSO also makes it possible to log in to individual stations without being prompted for user name or password each time.

Figure 1. Login window for a station configured for SAML SSO

The advantages of this are evident for customers with more than one remote controller:

Users can log in to one controller, and not be prompted to log in to other controllers, which improves usability.
Centralized management of credentials means that users no longer need to maintain multiple copies of the same identity and role information, eliminating the errors inherent in duplication and being out of sync.
One controlled authentication point makes authentication less complicated and, ultimately, more secure.

A result of using SSO is that all credentials (identity information, authorization information via roles) are stored and managed centrally, and authentication is controlled centrally as well.

Note: Role names are managed centrally, but what the roles map to still needs to be managed by each individual station. For example, an Identity Provider might tell me that my role is "Party Planner", but the station needs to have a role with that name, which maps to categories, etc. on that station.