Skip To Search Skip To Main Content

How to set up Single Sign-On for Portfolio

Description

How do I set up Kerberos authentication for single sign-on (SSO) in Portfolio 2016?

Solution

To configure Portfolio 2016 for single-sign-on for connections to Portfolio Web, the following must be true:

  • Portfolio is installed on a supported version of Microsoft Windows Server
  • You have a Portfolio SSO license key and have entered it into the Licenses pane of Portfolio Administration
  • Portfolio is bound to an Active Directory domain with Kerberos v5 enabled and configured
  • The Portfolio user account is an Active Directory user
  • The user is logged into a computer that is bound to the Active Directory domain with the same user account

If these conditions are met then a user can connect to Portfolio with a supported web browser and Portfolio Web will use Kerberos to log in, bypassing the login window.

Setting up Kerberos authentication

Create a service principal name

Kerberos requires a service principal name (SPN) for Portfolio; in Active Directory, SPNs are tied to a user account or service account. You can use the same Active Directory account that the Portfolio services run under. In order for Kerberos authentication to work, the service account must have a non-expiring password.

To create an SPN for Portfolio, you must know the fully-qualified domain name (FQDN) for the server Portfolio runs on (portfolio.example.org). This cannot be an alias; if you use nslookup on the server’s IP address, it should return the canonical name for the server.

The setspn command is used on the domain controller to create the SPN. The examples below will use a service account name of “EXAMPLE\portfoliosvc” and a FQDN of “portfolio.example.org”

  1. Open a Command Prompt window
  2. Enter the following command and press Enter: setspn -A HTTP/portfolio.example.org EXAMPLE\portofliosvc

Configure Portfolio for single sign-on

  1. Log into Portfolio Administration
  2. Go to Global Settings > Single Sign-on Credentials
  3. Enter the username and password for the service account
  4. Click Apply

Configure web browsers to use single sign-on

We support using Kerberos authentication in the following browsers:

  • Google Chrome for Mac OS and Windows
  • Mozilla Firefox for Mac OS and Windows
  • Safari for Mac OS
  • Internet Explorer for Windows (versions 9 and 10 only)
  • Microsoft Edge

Google Chrome for Mac OS

If you are logged in as an administrator on your Mac, you can create a preferences .plist file to specify the Portfolio server for single sign-on in Google Chrome.

Open the Terminal application. Enter the following command and press Enter; replace “portfolio.example.org” with the FQDN for your Portfolio server.

sudo defaults write /Library/Preferences/com.google.Chrome.plist AuthServerWhitelist "portfolio.example.org"

Enter your password when prompted.

If you are not an administrator, or want to create a .plist file to be deployed to multiple machines, the following command will create the file on your Desktop. You can place it into /Library/Preferences/ or use Remote Desktop or similar network management tool to push the configuration file to more than one Mac.

defaults write ~/Desktop/com.google.Chrome.plist AuthServerWhitelist "portfolio.example.org"

Once the file has been placed in /Library/Preferences/, restart Chrome.

Google Chrome for Windows

You can create a registry entry to specify the Portfolio server for single sign-on in Google Chrome.

Open a Command Prompt with administrator privileges. Enter the following command and press Enter; replace “portfolio.example.org” with the FQDN for your Portfolio server.

reg add HKLM\Software\Policies\Google\Chrome\ /v AuthServerWhitelist /t REG_SZ /d "portfolio.example.org"

You can push the same registry key for Windows PCs on your domain using Group Policy. Once the registry setting takes effect, restart Chrome.

Firefox for Mac OS and Windows

Open a browser window. In the address bar, type about:config and then hit Enter.

Firefox will display a warning similar to the one below. Click “I accept the risk”.

The advanced configuration warning page in Firefox

In the search text box, type “network.negotiate-auth” and hit Enter.

network.negotiate-auth settings in Firefox

  • Right-click “network.negotiate-auth.allow-non-fqdn” and select Toggle to change the value to true.
  • Right-click “network.negotiate-auth.trusted-uris” and enter the FQDN for the Portfolio server.

Internet Explorer and Microsoft Edge

Open the Control Panel and select Internet Options. In Internet Properties, click on the Security tab and select the “Local Intranet” zone.

Local Intranet zone as seen in Windows 10

Click the “Sites” button. If “Include all sites that bypass the proxy server” is unchecked, uncheck “Automatically detect intranet network” and click the checkbox.

Click the Advanced button. Enter the FQDN for the Portfolio server and click Add, then click Close. Close the Internet Properties dialog.

Adding the FQDN for the Portfolio Server to the trusted sites

Safari

No special configuration is needed for Safari.

Rating: 0 Votes 0 Yes Votes 0% voted yes
Was this answer helpful?
Provide Feedback on this Topic
Topic Information
  • Topic #: 58278-1059
  • Date Created: 10/20/2015
  • Last Updated: 05/18/2017
  • Viewed: 785
How to set up Single Sign-On for Portfolio
! ! ! !

Topic 58278-1059

How to set up Single Sign-On for Portfolio