Note: The maximum number of SSO domains that are allowed is 128.

Follow the steps below to create an SSO domain:

  1. Log in to the LoadMaster.
  2. Select Virtual Services in the main menu and select Manage SSO Domains.

  3. Enter the name of the domain and click Add.

  4. Select LDAP as the Authentication Protocol.
    Note: The other configuration types and authentication protocols - LDAP, RADIUS, RSA-SecurID, Certificates, RADIUS and LDAP, and RSA-SecurID and LDAP - can be selected if the Active Directory environment is configured for it.
    Note: For more information on the RSA-SecurID, Kerberos Constrained Delegation or Certificates options, including steps on how to configure them, refer to the relevant documents: - RSA Two Factor Authentication, Feature Description - Kerberos Constrained Delegation, Feature Description
  5. Select the relevant LDAP endpoint in the LDAP Endpoint drop-down list. For further information on LDAP endpoints, refer to the LDAP Configuration section.
  6. In the Domain/Realm field, enter the login domain to be used.
    Note: This is also used with the logon format to construct the normalized username, for example; - Principalname: <username>@<domain> - Username: <domain>\<username>
    Note: If the Domain/Realm field is not set, the Domain name set when initially adding an SSO domain is used as the Domain/Realm name.
  7. Select the relevant Logon format. The login format comprises of two options, as outlined below:
    1. principalname: Selecting this as the Logon format means that the client does not need to enter the domain when logging in, for example username@domain. The SSO domain entered in the corresponding text box is used as the domain in this case.
      Note: When using RADIUS as the Authentication protocol the value in this SSO domain field must exactly match for the login to work. It is case sensitive.
    2. username: Selecting this as the logon format means that the client needs to enter the domain and username, for example domain\username.
  8. Specify the number of Failed Login Attempts that a user can have before their account is locked out. Click Set Failed Login Attempts.
    Note: When a user is locked out, all existing logins for that user are terminated, along with future logins. Users can be unblocked in the Currently Blocked Users section of the Manage Domain screen.
  9. Enter the amount of time (in seconds) that you would like to Reset Failed Login Attempt Counter after. Click Set Reset-Failed Timeout.
  10. Enter the amount of time (in seconds) after which a blocked user account is unblocked in the Unblock Timeout text box. Click Set Unblock Timeout.
  11. Enter the relevant value(s) in the public and private idle time and max duration text box(es) and click the relevant button(s) as appropriate. The timeout value that is applied depends on whether the user selects public or private on the login screen.
  12. Select the relevant option for use value (either max duration or idle time).
  13. Select whether or not to use the LDAP endpoint for the health check.
  14. If you have decided not to use the LDAP endpoint for the health check, in the Test User and Test User Password fields, enter credentials of a user account for the SSO Domain. The LoadMaster will use this information in a health check of the Authentication Server. This health check is performed every 20 seconds. This 20 second health check is hard coded and cannot be modified.
  15. Click OK.
Note: It is also possible to unlock blocked users from the Manage Domain screen. To do this, simply click the unlock button for the relevant blocked user.