XTAM Federated Sign-In; Benefits and Configuration
XTAM provides a federated sign-in experience that can be deployed during or after installation. The benefits of the XTAM Federated Sign-In:
- A more easily recognizable enterprise web login page supporting single sign-on.
- Provides integration opportunities with many commonly used multi-factor authorization (MFA) and two-factor authorization (2FA) providers.
- Allows for the generation and use of Authentication Tokens
- Requires the use of a non-self signed SSL Certificate ensuring web client connectivity is secured.
- See this FAQ for Load Balancing with an SSL Certificate (Windows or Unix)
- See this FAQ for Load Balancing for Debian or Ubuntu
- See this FAQ for Load Balancing for Red Hat or CentOS
Pre-requisite: Make sure a non-self signed, well known and trusted SSL Certificate is deployed and working in your Windows or Unix host. During installation, you will define the URL that XTAM will use for web connectivity and this connection needs to be secured with a trusted web certificate.
While we recommend using a trusted SSL certificate in all deployments scenarios, if you have a self-signed certificate, please see this FAQ article for configuration options.
To Deploy XTAM Federated Sign-In During Installation
During the installation, check the option to include the Federated Sign-In component in the wizard.
On the Federated Connection page, check the Enable SSO option and enter your secured URL into the Managed Path field.
Complete the XTAM installation as required.
When the installation is complete, the federated sign-in page will be available at the Managed Path entered in step 2 followed by /xtam.
To Deploy XTAM Federated Sign-In Post Installation
Download the XTAM Federated Sign-In component to your XTAM host machine (XTAM Federated Sign-In Download)
When the download is complete, unpack the downloaded archive and copy its containing file cas.war to $XTAM_HOME/web/webapps.
Edit the file $XTAM_HOME/web/conf/catalina.properties and make the following modifications (if these any of these lines are not present, please add them):
Set the property cas.managed.path to XTAM’s managed path (secured URI) so it will look something like this cas.managed.path=https://xtam.company.com:6443
Set the property cas.server.name to XTAM’s managed path (secured URI) so it will look something like this cas.server.name=https://xtam.company.com:6443
Set the property cas.server.prefix to XTAM’s federated sign-in path (secured URI) so it will look something like this cas.server.prefix=https://xtam.company.com:6443/cas
Set the property cas.view.defaultRedirectUrl to XTAM’s GUI URL (secured URI) so it will look something like this cas.view.defaultRedirectUrl=https://xtam.company.com:6443/xtam/
Please take note of the port (:6443) in the above example. If you are using a port other than the default 6443, update this line to reflect the port number being used. If you are using a reverse proxy which is using port 443 then a possible, working value may be https://xtam.company.com
Download and then unpack the web archive located here
Copy the web.xml file to $XTAM_HOME/web/webapps/xtam/WEB-INF replacing the file which already exists. (Consider making a copy of the existing web.xml file in case of issues.)
Restart the PamManagement (Windows) or pammanager (Linux) service.
When the deployment is complete, the federated sign-in page will be available at the Managed Path entered in step 3a followed by /xtam.
Troubleshooting
Federated Sign-In Module – Certificate Errors
Federated Sign-In Module – Timeout, Forbidden or 403 Errors