Install and configure UserLock Single Sign-On
A comprehensive description of UserLock requirements is available here.
Important Note: The Single Sign-On (SSO) feature will cease to function for perpetual licence clients who have not renewed their maintenance contract.
Choose the server hosting SSO service
The installation can be done on a member server of the domain. There is no requirement to use a Domain Controller server. Any virtual or physical Windows Server 2012R2 onwards can be used as the host.
Please note that no modifications will be made to your Active Directory or its schema.
Download the installation package 'UserLock-Setup.exe' here.
The package is the same for both the English and French languages and is compatible with 32-bit and 64-bit platforms.
- Execute the downloaded package on the host server to launch the installation process.
- Choose 'English' as the preferred language and click on 'OK'.
- Click on 'Next' on the 'Welcome' page.
- Read and accept the License Agreement and click on 'Next'.
Leave 'Custom' selected for the installation type and click on 'Next'.
Ensure that both the Console and the SSO service are selected.
- Click Install to begin the installation.
- Once UserLock has completed installing, click on 'Finish'.
Enable the Single Sign-on feature
You must put in place the following pre-requirements in order to enable the Single Sign-on feature:
- The service must be installed on a Windows Server 2012 R2 or higher with a permanent Internet connection.
- A registered domain (e.g. sso.mydomain.com) with a valid SSL certificate.
- A DNS 'A' record that resolves the domain to the IP address of this machine once the UserLock SSO service has been configured.
NOTE: This console can only manage the UserLock SSO service installed locally. In order to manage the SSO service on another machine, a separate installation is required of the UserLock console and the SSO service.
The following information must be configured:
- Hostname: Enter the registered domain
- Port: 443
- Certificat SSL: Navigate to the valid certificate that links the registered domain
The SAML certificate lifetime can extend from 2 months to 10 years. For more information, especially on its renewal, please consult this page.
Once all the information has been entered, restart the service.
Once the UserLock SSO is correctly configured, it is possible to protect SaaS applications. This can be done by clicking the Configuration tab or by navigating with a browser to the UserLock SSO IdP url.
Configure the Single Sign-On (SSO) for Cloud Provider
The next step is to configure the Cloud provider of your choice. Please refer to the list below:
Access to the Configuration page
As the operations related to Single Sign-On are sensitive, the Configuration page is accessible to Domain Admins only by default and only from internal network computers.
If these rules are not respected, an error will be displayed while navigating to the Configuration page.
It is possible for a non Domain Admin to access this page and configure the Single Sign-On. However, this requires to create a new Active Directory Group named "UserLock SSO Admins" and to add the required users to this group.
Note: this user needs to logoff/logon before accessing the Configuration page if he was already logged on while being added to this group.
Once the UserLock SSO service is correctly configured and successfully started, it is able to receive authentication requests from SaaS applications. However, it is necessary to perform some additional actions before these requests can be sent, specifically at the DNS level by using a Split Domain Name System (Split DNS).
Authentication protocols work by redirecting through the user browser. For instance, if you defined https://sso.mydomain.com as the IdP SSO Url and are navigating to a protected SaaS application from home (i.e. outside of the local network), your browser must know where to find this url in the DNS system. Thus, it is necessary to define a DNS record in your external DNS provider to associate your UserLock SSO url (https://sso.mydomain.com here) with your enterprise network entry point (where UserLock SSO server is setup).
Above, the SSO A record points to the public IP address of the company local network.
Then, once a request from the external network reaches your company network entry point, it is necessary to make it reach your UserLock SSO server. This is achieved using port forwarding. Please read the documentation of your router as each configuration depends on the manufacturer.
For requests coming from the local network, please add another record in your internal DNS to avoid a round-trip outside of your network:
Here, the SSO CNAME record points to a local machine name. This machine name - which is the UserLock SSO server - is associated to a local IP address in another A record.
Now that DNS are configured internally and externally, it is possible to setup the protection of the first SaaS application.