To set up single sign-on (SSO), you must perform some configuration steps.
The Horizon single sign-on module communicates with PAM (pluggable authentication modules) in Linux and does not depend on the method that you use to integrate Linux with Active Directory (AD). Horizon SSO is known to work with the OpenLDAP and Winbind solutions that integrate Linux with AD.
By default, SSO assumes that AD's sAMAccountName attribute is the login ID. To ensure that the correct login ID is used for SSO, you must perform the following configuration steps if you use the OpenLDAP or Winbind solution:
- For OpenLDAP, set sAMAccountName to uid.
- For Winbind, add the following statement to the configuration file /etc/samba/smb.conf.
winbind use default domain = true
- For OpenLDAP, you must use short domain names in upper case.
- Winbind supports both long and short domain names.
AD supports special characters in login names, but Linux does not. Therefore, do not use special characters in login names when setting up SSO.
In AD, if a user's UserPrincipalName (UPN) attribute and sAMAccount attribute do not match, and the user logs in with the UPN, SSO fails. For example, if you have a user, juser in AD mycompany.com, but the user's UPN is set to [email protected] instead of [email protected], SSO fails. The workaround is for the user to log in using the name that is stored in sAMAccount. For example, juser.
- For Winbind, the user name is case-insensitive by default.
- For OpenLDAP, Ubuntu uses NSCD to authenticate users and is case-insensitive by default. RHEL and CentOS use SSSD to authenticate users and the default is case-sensitive. To change the setting, edit the file /etc/sssd/sssd.conf and add the following line in the
[domain/default]
section:case_sensitive = false
If your Linux desktop has multiple desktop environments installed on it, refer to Desktop Environment to select the desktop environment to use with SSO.