Overview

This section describes how to configure LN to allow Single Sign On ( SSO) with LN UI.

When an end user uses LN UI and SSO to access LN, LN UI and LN must complete some tasks before the end user can use the application:

• LN UI obtains the end user's identity from the identity provider, such as Active Directory Federation Services, and requests a secure connection from the selected LN system.
• LN validates the connection request and credentials, and runs the bshell on behalf of the end user.

The required LN configuration is the scope of this section and facilitates connecting, mapping, (permission) checking, and impersonation.

• Connecting means that the LN UI 's request for the secure connection is acknowledged and that the data exchange between LN UI and LN can start.

• Mapping is required because the identity provider may have identified the end user with an account name that is different than the LN account. In addition, the system account which will later be used to run the bshell must be derived.

• Permission checking is required because the mapping information is not sufficiently secured.
• Impersonation is about the system account which will run the bshell binaries on behalf of the end user.

The LN configuration steps that are required to successfully achieve these steps are described later. In the configuration steps, these terms are used:

End User

The person using LN

Application User

An LN account for an end user

System User

The operating system account that runs the bshell on behalf of the end user

SSO User

The identification of the end user according to the identity provider.

Generic System User

A, non-personal, operating system account that runs the bshell on behalf of multiple end users