How does single sign-on via an identity and access management system work?
An identity and access management system (IAM) centralizes the management of identities and access rights to different systems and applications. User authentication and authorization are key functions of IAM. AEB offers the following options:
- Single sign-on to use multiple AEB products with a single login: AEB uses a centralized system that gives you access to the AEB products by signing in once, so you don’t need to sign in to each product individually.
- Single sign-on to use AEB products with your own identities: You have the option to link your own identity provider (IdP), such as Microsoft Azure, to the IAM system of AEB (Keycloak). This allows you to sign in to AEB products with your own identities (user name + password + multi-factor authentication).
Infrastructure when linking an identity and access management
AEB uses identity and access management for the link, which consists of two separate infrastructures (prod / test). Accordingly, when using single sign-on, you get your own endpoints (prod / test).
The following single sign-ons are supported by AEB:
- OpenID Connect (based on OAuth 2.0)
- Security Assertion Markup Language (SAML)
How does login (authentication) work via identity and access management?
The authentication process takes place in your system. During login, the user is directed to your identity provider, and the password to be used is processed solely in your systems.
- During the initial login, a linked user is created in the AEB IAM. This is necessary for the user profile and role management.
The following graphic provides an overview of the technical correlations:
How do I set up single sign-on?
The following setup steps are required to set up single sign-on:
- Setting up endpoints for single sign-on (SSO)
- Creating roles and rights for single sign-on (SSO)
- Setting up single sign-on via identity and access management You can find configuration examples in the following articles:
Setting up single sign-on (SSO) via Microsoft Azure Active Directory via OpenID Connect
Setting up single sign-on (SSO) via Microsoft AD FS