Cisco Crosswork Network Controller 7.2 Administration Guide

PDF

Enable single sign-on

Want to summarize with AI?

Log in

Enable single sign-on (SSO) so users can access Crosswork Network Controller and integrated applications with a single set of credentials.


Single sign-on (SSO) is an authentication method that lets users log in once and access multiple independent systems without reentering credentials. Crosswork Network Controller acts as an Identity Provider (IdP) and supports SSO integration for service provider applications. You can enable SSO for users authenticated via TACACS+, LDAP, and RADIUS. When SSO is configured, users benefit from seamless access and improved security management.

Crosswork Network Controller also supports SSO cross-launch, so users can move easily between Crosswork Network Controller and integrated applications. Once configured, the URL can be launched using the launch icon (Close Panel icon) located at the top right corner of the window.

Note that the Crosswork Network Controller login page is not shown if the Central Authentication Service (CAS) pod is restarting or offline.

  • When Crosswork Network Controller’s CAS pod is restarting or not running, the login page is not available.

  • The SSO URL from the Identity Provider (IdP) is https://<IP>:30603/crosswork/sso/idp/profile/SAML2/Redirect/SSO, where <IP> represents the Crosswork Network Controller's IP address or hostname.

Before you begin

  • Select Enable source IP for auditing check box on the Administration > AAA > Settings page.

  • Ensure you have the latest service provider metadata to integrate with Crosswork Network Controller SSO.

  • Confirm that network connectivity exists between Crosswork Network Controller (IdP) and each service provider application.

  • Verify the CAS pod is running and stable.

Procedure

1.

From the main menu, choose Administration > AAA > SSO . The Identity Provider window appears. You can add, edit or delete SSO providers here.

Figure 1. Identity Provider window
2.

To add a new service provider:

  1. Click the Add icon icon.

  2. In the Service Provider window, enter the values in the following fields:

    • Name: Specify the entity name.

    • Evaluation order: Assign a unique number for service definition priority.

    • Metadata: Provide or browse to the SAML metadata XML document for the service provider.

    Note

    If you supply a URL, the Service name entry becomes a hyperlink for cross-launch.

  3. Click Add to confirm.

3.

Click Save all changes. When prompted, confirm by clicking Save changes.

Note

Saving changes may require restarting the server for updates to take effect.

After the settings are saved, when you log into the integrated service provider application for the first time, the application gets redirected to the Crosswork Network Controller server. After providing the Crosswork credentials, the service provider application logs in automatically. For all the subsequent application logins, you do not have to enter any authentication details.

4.

To edit a service provider:

  1. Select the check box next to the service provider, then click the Edit iconicon.

  2. Update evaluation order or metadata information as needed.

  3. Click Update to apply changes.

5.

To delete a service provider:

  1. Select the check box next to the service provider, then click the Delete icon icon.

  2. Click Delete to confirm removal.

Single sign-on is enabled for selected service provider applications. Users can authenticate once via Crosswork Network Controller and seamlessly access associated applications without reentering authentication factors.

What to do next

  • If Crosswork Network Controller is reinstalled or migrated, update the Identity Provider (IdP) metadata in all service provider applications to avoid authentication errors due to metadata mismatch.

  • For first-time users, ensure password change is completed before attempting to log in with a different username. To reset an incomplete session, an administrator must terminate it.