Install and configure UserLock Single Sign-On
A comprehensive description of UserLock requirements is available here.
Important Note: The Single Sign-On (SSO) feature will cease to function for perpetual licence clients who have not renewed their maintenance contract.
Choose the server hosting SSO service
The installation can be done on a member server of the domain. There is no requirement to use a Domain Controller server. Any virtual or physical Windows Server 2012R2 onwards can be used as the host.
Please note that no modifications will be made to your Active Directory or its schema.
Download the installation package 'UserLock-Setup.exe' here.
The package is the same for both the English and French languages and is compatible with 32-bit and 64-bit platforms.
- Execute the downloaded package on the host server to launch the installation process.
- Choose 'English' as the preferred language and click on 'OK'.
- Click on 'Next' on the 'Welcome' page.
- Read and accept the License Agreement and click on 'Next'.
Leave 'Custom' selected for the installation type and click on 'Next'.
Ensure that both the Console and the SSO service are selected.
- Click Install to begin the installation.
- Once UserLock has completed installing, click on 'Finish'.
Enable the Single Sign-on feature
You must put in place the following pre-requirements in order to enable the Single Sign-on feature:
- The service must be installed on a Windows Server 2012 R2 or higher with a permanent Internet connection.
- A registered domain (e.g. sso.mydomain.com) with a valid SSL certificate.
- A DNS 'A' record that resolves the domain to the IP address of this machine once the UserLock SSO service has been configured.
NOTE: This console can only manage the UserLock SSO service installed locally. In order to manage the SSO service on another machine, a separate installation is required of the UserLock console and the SSO service.
The following information must be configured:
- Domain: Enter the registered domain
- Port: 443
- Certificate: Navigate to the valid certificate that links the registered domain
Once all the information has been entered, restart the service.
Once the UserLock SSO is correctly configured, it is possible to protect SaaS applications. This can be done by clicking the Configuration tab or by navigating with a browser to the UserLock SSO IdP url.
Configure the Single Sign-On (SSO) for Cloud Provider
The next step is to configure the Cloud provider of your choice. Please refer to the list below:
Access to the Configuration page
As the operations related to Single Sign-On are sensitive, the Configuration page is accessible to Domain Admins only by default and only from internal network computers.
If these rules are not respected, an error will be displayed while navigating to the Configuration page.
It is possible for a non Domain Admin to access this page and configure the Single Sign-On. However, this requires to create a new Active Directory Group named "UserLock SSO Admins" and to add the required users to this group.
Note: this user needs to logoff/logon before accessing the Configuration page if he was already logged on while being added to this group.