Configuring Single Sign-On

NetGovern Archive and NetGovern Search both support Single Sign On (SSO).

With SSO, once you log in through your Identity Provider, you do not have to sign in separately to NetGovern Archive, and users do not have to sign in separately to NetGovern Search. Logins to NetGovern occur automatically and invisibly.

How SSO Works in NetGovern

NetGovern Archive and NetGovern Search both use Security Assertion Markup Language (SAML) to achieve Single Sign On. SAML is an open standard for exchanging authentication and authorization data between an Identity Provider and a Service Provider. Authentication is performed through Active Directory (AD) by recognizing a user's domain, which often corresponds to their email address.

For many organizations, Active Directory Federation Services (ADFS) acts as the Identity Provider.

NetGovern Archive, NetGovern Search, and Proxy access are each considered a separate Service Provider. Enabling SSO on Proxy access is optional but recommended.

NOTE
NetGovern Search does not use Multi-Factor Authentication (MFA). However, ADFS may use MFA, prompting your users to provide different types of personal information in order to authenticate.
NOTE
What is called a Service Provider in SAML terminology is called a Relying Part in ADFS terminology.

Once SSO is configured in NetGovern, a typical workflow will proceed as follows:

  • User logs in to ADFS.
  • User attempts to access the NetGovern login screen.
  • Invisibly, ADFS is prompted for a SAML (or signed) assertion to authenticate the user and authorize login.
  • NetGovern APID verifies the signed assertion.
  • The user is automatically logged in to NetGovern.

If the user attempt to sign in to NetGovern before they sign in to ADFS, they are redirected to the ADFS sign-in page, where they are prompted to enter credentials.

In all cases, once SSO is configured, the login screens for both NetGovern Archive and NetGovern Search are disabled and invisible.

NOTE
If SSO is enabled, Admin users should not be synced.
NOTE
Once SAML is enabled, users cannot change their NetGovern password, since the welcome screen where this option appears is no longer visible. Since authentication occurs through Active Directory, the NetGovern password is irrelevant when SSO is enabled.

Timeouts

NetGovern Search has various timeouts designed to boost system security regarding user authentication. When SSO is enabled in NetGovern Search and a timeout occurs, the Search session will refresh automatically after a timeout alert.

The NetGovern Archive permanently auto-refreshes.

In both cases, SSO overrides timeouts in NetGovern.

Assertion Validity

Assertions are permanent in NetGovern by default. The Administrator may choose to revoke assertions for specific users.

Certificates

You need a separate valid certificate for both the Identity Provider and for the Service Providers. You can have one certificate for all Service Providers (NetGovern Archive, NetGovern Search, and Proxy access) as long as they are on the same server. If the Service Providers are on different servers, each will need its own certificate.

The certificate cannot be self-signed unless you are using it as a test. AD FS will not accept a self-signed certificate.

IMPORTANT
If the certificate host name does not match the host name that users access, SSO might not work. During configuration, an auto-detect function will assist you in detecting anomalies.

Bypassing SSO for Admins

Admins can use the URL ending in /saml/ to bypass SSO when doing admin tasks.

NOTE
In most cases, Admin synchronization is required for SSO bypass to work as expected.
NOTE
Closing a browser will not log the user out of SSO in all cases.

Bypassing SSO for End Users (NOSSO)

After SSO is set up, any local, manually created end user can bypass SSO by using the Admin UI URL ending in /nosso/.

Example:

https://10.201.2.230/nosso

The user must belong to a designated "nosso" group in AD in order to access this function.

The URL ending in /nosso/ will also work for admins.

Similar to SSO, a NetGovern Search session in /nosso/ will refresh automatically after a timeout alert.

NOTE
Closing a browser will not log the user out o fSSO in all cases.

Outlook Add-In

Since there is no connection between Outlook Add-in and ADFS, enabling Single Sign On (SSO) through SAML on Outlook Add-In is not possible. Instead, authentication is performed through NetGovern Search. During Outlook Add-In setup, you have the option to authorize Outlook Add-In to use NetGovern Search credentials. Upon first successful login to the Outlook Add-In, each user sees the following grant rights page:

If the user selects Allow, Outlook Add-In will have authorization to use NetGovern Search credentials indefinitely, unless assertions are revoked.

Going forward, log into Outlook Add-In will occur automatically whether or not the user is logged into NetGovern Search, and whether or not SAML is enabled in the Admin UI.

Maintaining Administrator Access

Once SAML is enabled, you no longer log in to the Admin UI using Administrator credentials. Instead, you log in using credentials associated to your personal email address. Therefore, before you enable SAML, you must ensure that you assign Administrator access to yourself—see Configuring an Administrator.

WARNING
If you do not do this, you will lock yourself out as an Administrator once SAML is enabled.

Configuring SSO

There are two ways to configure SSO in NetGovern: either by using ADFS, or another Identity Provider. Steps for both are provided further below.

Maintaining Administrator Access

Once SAML is enabled, you no longer log in to the Admin UI using Administrator credentials. Instead, you log in using credentials associated to your personal email address. Therefore, before you enable SAML, you must ensure that you assign Administrator access to yourself—see Configuring an Administrator.

WARNING
If you do not do this, you will lock yourself out as an Administrator once SAML is enabled.