Single Sign On (Sso) Settings - Distech Controls ECLYPSE APEX User Manual

The user profile cache is updated when the user authenticates themselves while there is a working RADIUS server
connection. For this reason, at a minimum, admin users should log in to each ECLYPSE controller at least once, so
their login can be cached on that controller. Otherwise, if there is a RADIUS server connectivity issue, and a user
who has never connected to the ECLYPSE controller before will be locked out from the controller. It is particularly
important for admin user credentials to be cached on each controller as an admin user can change the controller's
network connection parameters that may be at cause for the loss of connectivity to the RADIUS server.
The port values of 1812 for authentication and 1813 for accounting are RADIUS standard port num-
bers. However, other port numbers may be used. No matter which port numbers are used, make sure
that the port numbers are unused by other services on this controller and that both the RADIUS server
and the RADIUS clients use the same port number values. See also
Protocols.

Single Sign On (SSO) Settings

The Single Sign On (SSO) service allows a user to use one set of login credentials (e.g.username and
password) to access multiple ECLYPSE controllers that are on the same network. This provides a se-
cure centralized login method to authenticate users.
The basic functionality behind an SSO service with ECLYPSE controllers is the Client-Server architec-
ture where one controller is defined as the Server dedicated to authentication/authorization purposes
to access the Client controllers.
The SSO authenticates the user for all the controllers the user has been given rights to and eliminates
further login prompts when the user accesses other controllers within the same session.
The session ends if you close the web browser or you log out. It is recommended that you close your
web browser after logging out.
Figure 57: SSO Architecture
With the SSO service, you will be automatically redirected to the SSO server login page when you
navigate to a SSO client web page. Once you are authenticated by the server, you will be redirected to
the web page you requested on the client. If you requested the default page, you will be redirected to
your Welcome page instead.
Enter the Client IP
Redirected to the
address
login page of the
server IP address
(e.g.,192.168.0.22)
Figure 58: SSO Authentication Sequence
The Xpress Network Utility allows you to perform a range of operations on many controllers at once, so
we highly recommend that you use xpress Network Utility when configuring the SSO parameters for
your controllers.
The SSO requires HTTPS to function properly. HTTP cannot be enabled and will automatically be disabled when
SSO is activated.
See also Setting Up the SSO
ECLYPSE APEX
Login page
(Server IP address)
192.168.0.10)
(e.g.,
Functionality.
ECLYPSE Web Interface
IP Network Port Numbers and
Client IP
Welcome page
or specific URL
192.168.0.22)
(e.g.,
69