.. role:: bold-underline
:class: bold-underline
.. _application-sso-setup:
Application SSO Setup
=====================
The purpose of this section is understand the setup instructions for Desktop-based, Browser-based, and Windows Login Application Single-Sign-On (SSO).
.. image:: /images/sso-overview-image.png
For more information about the OmniDefend SSO Solution, visit `OmniDefend SSO `_
.. note:: As a prerequisite to this section, please install the ``OmniDefend Client Bundle``, the ``OmniDefend MFA Browser Extension``, and the ``OmniDefend SSO Browser Extension``. Also make sure that the user is already enrolled in OmniDefend MFA.
.. image:: /images/OD-Square-Shape-Logo-01.png
:align: center
.. _desktop-applications:
Legacy Desktop Applications
+++++++++++++++++++++++++++
This documentation will demonstrate how to provision OmniDefend password-fill SSO onto a legacy desktop application.
**1. Portal Login**
To setup a desktop application with OmniDefend SSO, first login to the portal as an admin. As you can see in the images below, the OmniDefend Client icon in the Windows system tray should change once login is succesful.
Logged Out:
.. image:: /images/system-tray-icon-logged-out.png
Vs. Logged In:
.. image:: /images/system-tray-icon-logged-in.png
**2. Application Launch**
Next, launch the desktop application which you wish to provision in OmniDefend. For this documentation, we will use the example of Microsoft SQL Server Management Studio.
**3. Run Wizard**
After launching the application, right-click the OmniDefend system tray icon and left-click ``Run Wizard``. See the image below:
.. image:: /images/sql-launch-system-tray.png
**4. Drag and Drop the Icon in the Password Wizard**
After clicking ``Run Wizard``, the ``Password Wizard for Desktop Applications`` will open. Locate and clear the data from the ``Server Name`` field in the wizard, and as you can see in the image below, drag and drop the icon onto the relevant field in the desktop application.
.. image:: /images/drag-and-drop-server-name.png
**5. Repeat Drag and Drop for the ``Authentication`` Field**
We will repeat this process for the ``Authentication`` field in the wizard. First, select ``Windows Authentication`` within the relevant field in the application. Next, as seen in the image below, drag and drop the OmniDefend icon into the field.
.. image:: /images/drag-and-drop-authentication.png
**6. Repeat Drag and Drop for the ``Connect`` Button**
We will repeat this process for ``Connect`` button in the application. For clarity, see the image below:
.. image:: /images/drag-and-drop-connect-button.png
**7. Deselect ``Password`` field in the Password Wizard**
Navigate to the bottom of the ``Detection Components`` section of the Password Wizard. Uncheck the box for the ``password`` field, as seen in the image below:
.. image:: /images/wizard-password-uncheck.png
Left-click the ``Create`` button in the Password Wizard. As seen in the image below, a confirmation box will be presented.
.. image:: /images/password-wizard-confirmation.png
**8. Prompt the OmniDefend Authentication Pop-Up**
Once the password wizard closes, click anywhere in the background of the dialog box of the application. The OmniDefend Pop-Up will appear and prompt for authentication, as seen in the image below:
.. image:: /images/desktop-authentication-popup.png
Finish by logging into OmniDefend using the popup and the pre-provisioned MFA credentials.
.. image:: /images/OD-Square-Shape-Logo-01.png
:align: center
.. _browser-based-applications:
Browser-Based Applications
++++++++++++++++++++++++++
This set of instructions will demonstrate how to provision OmniDefend password-fill SSO onto a browser-based application.
**1. Login to OmniDefend**
Login to the OmniDefend Portal as an admin. After doing so, navigate to the browser application which you want to provision. For this documentation, we will use the example of imgur.com
.. caution:: Before proceeding further, ensure that you are logged in to the OmniDefend extension agent as the same user by clicking on the SSO extension in the browser toolbar.
.. image:: /images/browser-toolbar-sso.png
**2. Navigate to Application Login Page**
Navigate to the Sign In page of the browser application. The OmniDefend ``Save Credentials?`` popup will automatically appear and prompt for SSO setup, as seen in the image below:
.. image:: /images/save-credential.png
**3. Enter credentials BEFORE clicking ``Yes``**
Ensure to enter in the credentials to the username and password boxes BEFORE clicking ``Yes`` in the ``Save Credentials?`` box and BEFORE confirming sign in into the application.
.. image:: /images/before-save-credentials.png
**4. Navigate to the Portal Launch Wizard**
Log out and then log back into the OmniDefend portal. Navigate to ``Applications`` and select the relevant application (in this case Imgur). Left-click ``Actions`` and again on ``Launch Wizard``
.. image:: /images/launch-wizard-sso.png
.. tip:: The SSO wizard on the portal allows you to edit the ``Vault Templates`` as well as configure different SSO features such as disabled username and password fields or random password generation.
.. image:: /images/launch-wizard-detailed.png
**5. Provision the application through the Portal**
Navigate to ``Applications`` and select the relevant application (in this case Imgur). Left-click ``Actions`` and again on ``Provision...``
.. image:: /images/actions-provision.png
To finish, select from one of the provisioning options for the application. The four options will appear the same as the image below:
.. image:: /images/provision-options.png
.. image:: /images/OD-Square-Shape-Logo-01.png
:align: center
.. _windows-login-credprov:
Windows Login with Credential Provider
++++++++++++++++++++++++++++++++++++++
This set of instructions will demonstrate how to create a Windows Login application within OmniDefend and provision it to users accordingly.
**1. Satisfy Prerequisites**
There are several prerequisites that are required to be satisfied prior to Windows Login application setup.
a. Ensure that the OmniDefend Credential Provider Client has been installed through either .exe or .msi files. For more info on where to find these files, please contact `info@softexinc.com _`
b. Ensure that the provided registry files are edited and updated correctly.
.. note:: OmniDefend Credential Provider requires OmniDefend Server Information to connect. Please edit provided registry files ``OmniDefend_CredProv_Setting.reg`` and update the ``ServerUrl``, ``ClientId`` and ``ClientSecret`` values in registry files. Please install updated registry files on the client systems. You can push this reg file to the respective user’s machine via group policy.
**2. Create a Windows Login application in the OD Portal**
To enable OmniDefend Credential Provider, we must first create an application within the OmniDefend platform. Follow these steps to create the application for the Credential Provider, named ``WinLogon``:
a. Login to the OmniDefend portal and navigate to ``Applications`` > ``Add Applications(s)``
b. Select the application type as ``Windows Login`` from the dropdown, as shown in the image below
.. image:: /images/new-applications-winlogin.png
c. Provide the necessary basic application information, including name, short name, and description. Optionally, update the 'User Account Settings' to configure the account lockout feature for failed attempts, adjust the 'Desktop Login Settings' as needed, and/or adjust the 'MFA Policy' for this application.
d. Click ``Create`` to generate the application
**3. Provision the Windows Login application**
Navigate to ``Applications`` > ``Windows Login``. Select the relevant Windows Login applicatoin and Left-click ``Actions`` and again on ``Provision...``
.. image:: /images/windows-login-provision.png
To finish, select from one of the provisioning options for the application. The four options will appear the same as the image below:
.. image:: /images/windows-login-provision-options.png