SSO Guidelines for the Management Center

Keep the following in mind when you configure a management center to be a member of an SSO federation:

  • The management center can support SSO with only one SSO provider at a time—you cannot configure the management center to use, for instance, both Okta and OneLogin for SSO.

  • management centers in a high availability configuration can support SSO, but you must keep the following considerations in mind:

    • SSO configuration is not synchronized between the members of the high availability pair; you must configure SSO separately on each member of the pair.

    • Both management centers in a high availability pair must use the same IdP for SSO. You must configure a service provider application at the IdP for each management center configured for SSO.

    • In a high availability pair of management centers where both are configured to support SSO, before a user can use SSO to access the secondary management center for the first time, that user must first use SSO to log into the primary management center at least once.

    • When configuring SSO for management centers in a high availability pair:

      • If you configure SSO on the primary management center, you are not required to configure SSO on the secondary management center.

      • If you configure SSO on the secondary management center, you are required to configure SSO on the primary management center as well. (This is because SSO users must login into the primary management center at least once before logging into the secondary management center.)

  • In a management center that uses multi-tenancy, the SSO configuration can be applied only at the global domain level, and applies to the global domain and all subdomains.

  • Only users with the Admin role authenticated internally or by LDAP or RADIUS can configure SSO.

  • The management center does not support SSO initiated from the IdP.

  • The management center does not support logging in with CAC credentials for SSO accounts.

  • Do not configure SSO in deployments using CC mode.

  • SSO activities are logged in the management center audit log with Login or Logout specified in the Subsystem field.