Enabling Premium SSO

There are 2 Single Sign On facilities. This document refers to the on-premise Cryoserver where users connect from a Microsoft Domain using NTLMv2 Tokens. The other facility is known a "OAuth" and is often used in a Cloud based setup, where the user directory is cloud hosted (e.g. Azure or Google) - though the Cryoserver could be on-prem or cloud hosted.

In the SSO technique, passwords are not passed, instead your current windows user token is used for validation. A token is computed every time you log in to a Windows domain, and hence it cannot be cached and used again. This technique only works with NTLM or NTLMv2 tokens and it is designed to only work in Microsoft Domains.

Furthermore, to prevent man in the middle attacks, the user token includes a ‘source pc identifier’. To validate SSO, the Windows Domain Controller will check if the source of the validation request (Cryoserver) is the same as the source PC encoded into the token (the user’s PC). In order for this to work, Cryoserver server needs to be registered as a Computer in the Windows Users & Computers list.

Prerequisites to enable premium SSO

Cryoserver will then be able to create an authenticated connection to your Domain Controller, over which secure SSO connections may be passed.

1. Navigate to Adv. Configuration > SSO - Single Sign On.

2. Enter / Select the required values in the fields. Refer to the table below for field names and descriptions. (Note: Hover your mouse on the field names for additional information and / or example values.)

3. Click the Apply button to save the configuration.

4. To test the SSO connection, click the SSO Connection Test.

5. After saving this configuration, the web server needs to be restarted to ensure that SSO is being used. To do this, navigate to the Management > Restart > Restart WebServer.

6. To review logs, click the Show Log button.