Configure Automated Sign-On for Host Access

Steps at a glance

Be sure the prerequisites are met.
Configure settings in the MSS Administrative Console.
Configure the client to use Automated Sign-On.
Assign access to the automated sign-on sessions.

Settings in the MSS Administrative Console

Click Automated Sign-On for Host Access. These settings enable MSS to obtain a time-limited, one-time password (OTP) for a user.

Host CA Certificates

To establish trust with the host, click Import and choose a CA certificate. The certificate must be in PEM format.

Because Automated Sign-On can be configured for multiple hosts, you can import more than one certificate. Each is listed with the Friendly Name, Expiration Date, and to whom it is Issued.

Application Configurations

Create automated sign-on settings for hosts and their applications.

A default configuration is provided that assigns an 8-character one-time password (OTP) with a 5-minute expiration to any application identifier (*). Hover over the Application ID field to quickly view the OTP's properties.

Adding a Configuration for Automated Sign-On

To add another OTP configuration, click +Add and enter the settings.
To change an existing configuration, check the box next to the Configuration Name, click Edit, make your changes, and click OK.

Configuration Name

User-defined name of the configuration.

URL of authorization server

Optional.

In the URL of Authorization Server field, specify a REST endpoint for the ASO service to delegate authorization for a one-time password (OTP). The REST endpoint must return:

HTTP OK status if the user is permitted to receive an OTP for the specified application ID.
HTTP FORBIDDEN status if an OTP is denied.

The REST endpoint can also override the OTP value. In this case, it should return an HTTP OK status along with a JSON response containing the original or modified OTP, formatted as: {"otp": "ORIGINAL_OR_MODIFIED_OTP"}

Note

If an Authorization Server URL is provided, the Host CA certificate must be added to Trusted Certificates. See Certificate Store - Management and Security Server.

One-time password rules

Enter the one-time password rules for each Application ID. At least one password rule is required.

Applicaion ID. A name for this Application ID, or an asterisk * to denote any Application ID.
Password Length (number of characters). Minimum: 4, Maximum: 256
Password Expiration (minutes)
Password Prefix (optional)
Password Suffix (optional)
Reusable. Check this box to enable the client emulator to re-use the OTP within the validity period.

Next step

Configure the Common Settings for a secondary LDAP server, if required.