10.6 Configuring Single Sign-On with KeyShield

For Filr to work with an existing KeyShield installation, you must have the following already in place.

  • A KeyShield SSO server that is registered with DNS and provides single sign-on services to your network users.

  • An API Key that is displayed in a defined API Authorization configuration.

  • One or more Authentication Connectors (defined on the KeyShield server) that are allowed to be used with the API Key.

  • Administrative Access to the KeyShield server for obtaining the following:

    • The API Authorization Key associated with the KeyShield Connectors you are leveraging for Filr

    • The SSL certificate, downloadable as a .CER file for importing into the Filr keystore.

To configure Filr to work with an existing KeyShield installation, complete the instructions in the following sections:

10.6.1 (Conditional) Allowing the Filr Appliance to Access the KeyShield APIs

The following procedure assumes that you have restricted access to the KeyShield APIs to only specific machines by listing their IP address. (If no IP addresses are listed, then access to the APIs is unrestricted.)

  1. Acting as a KeyShield administrative user, access the KeyShield SSO browser-based console. Then click Configuration > the General tab.

  2. In the API Authorizations section of the General page, toggle open the API Authorization configuration to which you are adding the IP address, then click edit.

  3. Click the bar below the already-allowed IP addresses.

  4. Type the Filr IP address, then click OK.

10.6.2 (Conditional) Allowing the Authorization Connectors to Access the API Key

Continuing in the General tab (accessed in the previous section), if access to the KeyShield SSO APIs is restricted to users on specific connectors, ensure that the connectors that your Filr users will be connecting through are listed by doing the following:

  1. If the connectors your users will use are not listed, click the bar below the already-allowed connectors.

  2. Select the connectors for your users, then click OK.

10.6.3 Configuring Filr for KeyShield SSO Support

  1. Open a new tab or a new browser session to access Filr on port 8443:

    https://filr-ip-address-or-dns-name:8443

    For example https:192.168.30.150:8443

    Having a new session will let you easily switch between the KeyShield administration console and the Filr Administration console.

  2. In the new browser session, log in to Filr as an administrator.

  3. Click the admin link in the upper-right corner of the page, then click the Administration Console icon .

  4. In the left frame, click KeyShield SSO.

  5. In the KeyShield SSO Configuration dialog, click Enable KeyShield SSO.

  6. In the KeyShield Server URL field, type the access URL for the KeyShield server:

    https://ks-server-dns-name_or_ip-address:ks-server-https-port/

    For example,

  7. Switch to the KeyShield browser-based console, toggle open the API Key, then select and copy the key to your clipboard.

  8. Switch to the Filr Administration panel and paste the API Key into the API Authorization field.

  9. The HTTP Connection Timeout controls how long the Filr Appliance will wait for a response from the KeyShield server before prompting users for their login credentials.

    Novell doesn’t recommend changing this value unless the connection between the Filr Appliance and the KeyShield SSO server doesn’t facilitate a quick response. For example the appliance and server are connected over a WAN.

  10. In the Connector Names field, type the names of each KeyShield SSO connector that Filr users will connect through, then test the connection.

    Because the Filr appliance doesn’t yet have the KeyShield SSO SSL certificate in its keystore, the test fails.

  11. Continue with the next section, Downloading and Installing the KeyShield SSO SSL Certificate.

10.6.4 Downloading and Installing the KeyShield SSO SSL Certificate

  1. Open a third browser session and access the Filr appliance on port 9443:

    https://filr-ip-address-or-dns-name:9443

    For example https:192.168.30.150:9443

  2. Log in as vaadmin.

  3. Switch to the KeyShield browser-based console and under General/Web Interface, click Edit.

  4. Click the Download button for the HTTPS Keystore.

  5. Save the Keyshield.cer file on the workstation running the browser.

  6. Switch to the browser session opened in Step 1 and click the Appliance Configuration icon.

  7. Click the Digital Certificates icon.

  8. Click File > Import > Trusted Certificate.

  9. Click Browse, then browse to the location where you saved the Keyshield.cer file and click Open.

  10. Click OK to import the certificate file.

  11. Acknowledge the message about restarting the appliance by clicking OK.

  12. Click the back arrow in the browser, then select Reboot.

  13. After the system restarts, continue with the next section, Testing the KeyShield SSO Configuration.

10.6.5 Testing the KeyShield SSO Configuration

  1. Switch back to the Filr administration console (port 8443).

  2. Click Test Connection.

    The test should succeed.

  3. Click OK to finalize the configuration and complete the Keyshield SSO integration.