Single Sign-On

Single Sign-On is the authentication scheme for npc and all supported data sources. Once they are authenticated to npc, users can navigate the console and registered data sources without signing in again.
capm360
Single Sign-On is the authentication scheme for
Performance Center
and all supported data sources. Once they are authenticated to
Performance Center
, users can navigate the console and registered data sources without signing in again.
Enabling the navigation of multiple product interfaces ensures a seamless drilldown experience for operators analyzing performance and status data. For example, if a user logs in to
Performance Center
 and follows a drilldown path to the data source interface, that user does not log in again.
Performance Center
uses a distributed architecture. The Single Sign-On website is automatically installed on every server where a supported data source or
Performance Center
is installed. The distributed architecture lets users log in to data source products by logging in to the servers where these products are running.
Authentication and Security
Single Sign-On provides authentication services to
Performance Center
and supported data sources. It also supports external authentication schemes, such as LDAP and SAML 2.0. This support lets you integrate
Performance Center
and other CA data source products into the same authentication scheme, enterprise-wide.
When a user is required to enter a username and password, the Single Sign-On security auditing feature logs information about who is logging in, and at what time of day. On Linux servers, the log is saved in the following location:
[InstallationDirectory]/PerformanceCenter/sso/logs
Authentication Methods
The Single Sign-On login page supports user authentication in CA
Performance Center
and in the data source products. Single Sign-On supports the following authentication methods:
  • Product authentication, which is based on user accounts
  • LDAP
  • Security Assertion Markup Language (SAML) 2.0
The CA
Performance Center
administrator can modify settings for an individual instance of Single Sign-On. For example, you can set up LDAP authentication in Single Sign-On. You can also configure optional encryption with Secure Sockets Layer (SSL) or change the default virtual directory.
As a result of the distributed architecture, any updates to the Single Sign-On website affect only those data source products that are running on the same server.
Single Sign-On Configuration Tool
The Single Sign-On Configuration Tool is a command-line application. The application lets administrators adjust the settings for the Single Sign-On website and the associated CA data source products.
The 'Remote Value' option in the Configuration Tool propagates the settings to each registered data source. Use the 'Local Override' option to override the propagated settings on the local server.
The Single Sign-On Configuration Tool was designed to run on Linux systems. However, you can also deploy it on the Windows servers where data sources are installed. If you launch the Configuration Tool from a Windows server, log in as an Administrator on that server.
Use the Single Sign-On Configuration Tool to perform the following tasks:
  • Configure data source products to use LDAP authentication.
    All the LDAP settings for each product are updated using this tool. You can also test the current LDAP configuration to verify settings.
  • Configure data source products to use SAML 2.0 authentication.
    In addition to using the Configuration Tool, the administrator must also take some steps on the Identity Provider to set up SAML 2.0 authentication.
  • Update the Single Sign-On virtual directory that each product references.
    If you added an encryption scheme or you changed the Single Sign-On virtual directory, use this tool to synchronize the data source products. For example, data sources on the modified server need instructions on where to redirect users who do not successfully authenticate.
  • Enable communications among servers running CA software products using HTTPS. 
    This change affects the Single Sign-On URL scheme and port. The Single Sign-On Configuration Tool lets administrators easily update these values in all the necessary data source products.
  • Enable FIPS-compliant encryption and hashing algorithms (where applicable).
    The Single Sign-On configuration tool configures the 
    CA Performance Management
     to use FIPS-compliant encryption and hashing algorithms. For more information, see FIPS-Compliant Encryption.
    CA Performance Management
    is not fully FIPS-compliant. This feature is for FIPS-compliant encryption only and does not meet full FIPS compliance.