Authentication Methods Overview
Contrail Service Orchestration supports single sign-on (SSO) authentication for the unified portal. You can configure one SSO server for a service provider and another for all its tenants.
You can authenticate and authorize users by using one of the following authentication methods:
Local—User accounts are maintained locally in CSO, and users are authenticated and authorized by CSO.
Authentication by using an SSO server—User accounts are maintained in the service provider’s SSO server, but authorization information is stored in CSO. Users are authenticated by using the credentials stored in the SSO server.
Authentication and authorization by using an SSO server—User accounts and user roles are maintained in the service provider’s SSO server. Users are authenticated by the SSO server and authorized by CSO by using Security Assertion Markup Language (SAML) attributes.
When you log in to the unified Administration and Customer Portal, the login page is displayed. To log in to the unified Administration and Customer Portal, enter the username on the login page. If the username matches the username pattern configured for SSO, then you are redirected to the SSO page. If the username does not match the username pattern, you must enter the password.
For each SSO authentication method, a list of permitted roles must be provided to the SSO server. Only users with permitted roles in the SAML attribute are allowed to log in to CSO. Also, a mapping between the roles defined in CSO and the roles defined in the external SSO server (Identity Provider) must be provided. For more information, see Editing the Authentication Method.