Two types of SSO domains can be created – Client Side and Server Side. Client Side Single Sign On domains enable the configuration of how the LoadMaster will authenticate clients including protocols used and authentication endpoints. A Server Side domain is required if using Kerberos Constrained Delegation for the authentication of connections from the LoadMaster to the servers.

Client Side configurations allow you to set the Authentication Protocol to LDAP, RADIUS, RSA-SecurID, Certificates, RADIUS and LDAP or RSA-SecurID and LDAP.

Note: As of LoadMaster firmware version 7.2.52, RADIUS two-factor and LDAP authentication is supported. For further details, refer to the RADIUS ESP Authentication Feature Description.

Server Side configurations allow you to set the Authentication Protocol to Kerberos Constrained Delegation (KCD).

To add a new SSO Domain enter the name of the domain in the Name field and click Add. You can enter up to 64 characters in this field. The name entered here does not need to relate to the allowed hosts within the Single Sign On Domain.

Note: When using the Permitted Groups field in ESP Options, you need to ensure that the SSO domain set here is the directory for the permitted groups. For example, if the SSO Domain is set to webmail.example and webmail is not the directory for the permitted groups within example.com, it will not work. Instead, the SSO Domain needs to be set to .example.com.
Note: If the Domain/Realm field is not set, the domain Name set when initially adding an SSO domain is used as the Domain/Realm name.