An inbound configuration SSO domain needs to be created in the LoadMaster. This should contain the IP address of the LDAP database as well as an administrator username and password. These login details are used to log in to the database and check if the user from the certificate does exist. If multiple domains are configured, sign-on can then be authenticated all at once. More information on this option can be found in the ESP, Feature Description.

To create and configure this SSO domain, follow the steps below:

  1. In the main menu of the LoadMaster WUI, select Virtual Services > Manage SSO.

  2. In the Client Side Single Sign On Configurations section, enter the Name of the SSO domain.
  3. Click Add.

  4. Select Certificates as the Authentication Protocol.
  5. Select the relevant LDAP Endpoint to use (as created in the Configure the LDAP Endpoint section).
  6. Select the relevant value for the Check Certificate to User Mapping drop-down list.
    Note: In LoadMaster firmware version 7.2.53, support for Personal Identity Verification (PIV) smart card authentication was added. For further details, refer to the following section: PIV Smart Card Support.
  7. Enable or disable the Allow fallback to check Common Name option.
  8. Enter the login domain to be used in the Domain/Realm text box.
Note: This is also used with the logon format to construct the normalized username, for example;Principalname: <username>@<domain>Username: <domain>\<username>If the Domain/Realm field is not set, the Name set when initially adding an SSO domain is used as the Domain/Realm name.

Select Certificate to User Mapping

This section provides further information about the Select Certificate to User Mapping option. The Select Certificate to User Mapping option is only available when the Authentication Protocol is set to Certificates.

Note: In LoadMaster firmware version 7.2.53, support for Personal Identity Verification (PIV) smart card authentication was added. For further details, refer to the following section: PIV Smart Card Support.
Note: The screenshots in this section were taken in Windows Server 2012 R2. They were correct at time of writing but they may change without our knowledge. Refer to the Microsoft documentation for the latest screenshots and steps.

The altSecurityAttribute can be set in the Active Directory Users and Computers (data.msc) console by using the Name Mappings task (see screenshots above). Both the Issuer and Subject are used for alternate security identity. Using the Name Mappings method will create an altSecurityIdentities entry on the form:

X509:<I>issuer data...<S>subject data...

There are other formats (created by other methods) but this is currently the only one supported by the LoadMaster.

Note: When changing the mapping in the Active Directory, the changes do not take effect immediately. To see the changes immediately, the LoadMaster SSO cache would need to be flushed or the user ticket would need to time out.

Flushing the SSO cache will flush all Single Sign-On (SSO) records, reset all authentication server statuses, reset the KCD domain (if relevant) and re-read the configuration. This has the effect of logging off all clients using Single Sign-On to connect to the LoadMaster.