Skip to content

Enable Federated Authentication for CMSG with SSO

IDP Configuration

Configuration parameters below are all obtained during the configuration of the IDP. Before configuring Federated Authentication, please ensure that you have an active third-party identity provider configured correctly.

To enroll by the private key and certificate of the Certification Authority:

For more information on all the enrollment options, see Preparing for Single Sign-On

Private Key and CA requirement

Ensure that you have the PEM files for the signed certificate, private key and certificate revocation list from the above instructions on Preparing for Single Sign-On, and have uploaded them to the CMSG.

Passphrase Protection

Passphrase protection for CA certificates is not supported.

If you are installing a new CMSG:

  • Run this command: sudo pcoip-cmsg-setup install [...other settings...] --enable-oauth true --id-provider-url https://id.provider.com --oauth-client-id XXXXXXXXX --enable-sso true --sso-signing-csr-ca <path to pem> --sso-signing-csr-key <path to pem> --sso-signing-crl <path to crl>

If you are configuring an existing CMSG:

Empty flags

For configuring an existing CMSG, extra flags are included with "" as a value. These are provided to ensure those settings are cleared from the CMSG. If those settings had never been configured then those flags are not necessary to provide.

  • Run this command: sudo pcoip-cmsg-setup configure [...other settings...] --enable-oauth true --id-provider-url https://id.provider.com --oauth-client-id XXXXXXXXX --enable-sso true --sso-signing-csr-ca <path to pem> --sso-signing-csr-key <path to pem> --sso-signing-crl <path to crl> --sso-enrollment-url "" --sso-enrollment-domain "" --sso-enrollment-username "" --sso-enrollment-password "" --sso-enrollment-certificate-template-name ""

To enroll via Active Directory Certification Authority Web Enrollment:

If you are installing a new CMSG:

  • Run this command: sudo pcoip-cmsg-setup install [...other settings...] --enable-oauth true --id-provider-url https://id.provider.com --oauth-client-id XXXXXXXXX --enable-sso true --sso-enrollment-url "$Enrollment_URL" --sso-enrollment-domain "$Domain" --sso-enrollment-username "<username>" --sso-enrollment-password "<password>" --sso-enrollment-certificate-template-name "<template name>"

If you are configuring an existing CMSG:

Empty flags

For configuring an existing CMSG, extra flags are included with "" as a value. These are provided to ensure those settings are cleared from the CMSG. If those settings had never been configured then those flags are not necessary to provide.

  • Run this command: sudo pcoip-cmsg-setup configure [...other settings...] --enable-oauth true --id-provider-url https://id.provider.com --oauth-client-id XXXXXXXXX --enable-sso true --sso-enrollment-url "$Enrollment_URL" --sso-enrollment-domain "$Domain" --sso-enrollment-username "<username>" --sso-enrollment-password "<password>" --sso-enrollment-certificate-template-name "<template name>" --sso-signing-csr-ca "" --sso-signing-csr-key "" --sso-signing-crl ""

Installation Flags

Federated Authentication Flags

Flag                                                        Type Description
--enable-oauth Boolean Enables Oauth authentication. (Default=false)
--id-provider-url String Sets the identity provider URL. Example: --id-provider-url https://provider-1234567890.id.provider.com.
This flag is required if --enable-oauth is true.
--oauth-client-id String Gets the Client ID from the Identity Provider.
This flag is also required if --enable-oauth is "true".

Federated Authentication Single Sign-On Flags

Flag                                                        Type Description
--fa-url String Override the fhe Federated Auth Broker URL provided to the PCoIP Agent. This flag can be used if auto-detection is not correcting determining the connector address. for example https://cac-vm-fqdn:port
--enable-sso Boolean Enables SSO. (Default=False)
--sso-signing-csr-ca String Path to copy intermediate CA Certificate.
--sso-signing-csr-key String Path to the intermediate key.
--sso-signing-crl String Path to a certificate revocation list.
--sso-enrollment-url String Gets the URL to the Active Directory Certification Authority Web Enrollment Service.
--sso-enrollment-domain String Domain of the user to access Active Directory Certification Authority Web Enrollment Service.
--sso-enrollment-username String Username for accessing Active Directory Certification Authority Web Enrollment Service.
--sso-enrollment-password String Password for the username to access Active Directory Certification Authority Web Enrollment Service.
--sso-enrollment-certificate-template-name String Name of the certificate template that Active Directory Certification Authority Web Enrollment Service uses to sign CSR.