Single Sign-On Overview
Federated User Authentication enables organizations to use their own Identity Provider (IdP) as the source to verify the identity and to authenticate a user before permitting them to select remote workstation. Once the desired workstation is selected, the user does not need to authenticate and directly connects to the remote workstation.
Federated Authentication with Single Sign-On (SSO)
This release of Single Sign-On is experimental and subject to change. However, your feedback on the configuration method, and the operation of Single Sign-On itself is highly valuable to its continued development.
This has been tested against Okta and ADFS. In most IdPs, the settings include terms like:
- Creating an App Integration
- OAuth2 or OIDC or OpenId Connect sign-in method
- Native Application application type
- The Grant type is Authorization Code
- And the redirect URL would be: pcoip://oauth/
To use the Federated Authentication Functionality, you must meet the following criteria:
- Access to Anyware Manager as a Service
- HP PCoIP Client version 23.01.0 or later
- HP PCoIP Windows Agent 23.01.0 or later (SSO is not supported on Linux or MacOS in 23.01)
- An Identity Provider that supports OAuth2
- Ubuntu Connector v147 or later with access to an Identity Provider
Post Configuration User Workflow¶
After completing the Federated Authentication configuration, the user workflow will be as follows:
- You can open the PCoIP Client and select a Connector or a broker from the list of connections.
- The default web browser opens to a login page for the respective Identity Provider for user authentication.
- The PCoIP Client requests another layer of user authentication to display the list of available remote workstations.
- The PCoIP Client presents the user with their list of desktops or pools to select from.
- The user will enter their PCoIP session with their remote desktop
- The PCoIP Session is initiated with the remote desktop.
SSO for Anyware Manager
Single Sign-On supports alternative credential. Should the PCoIP Agent not support Federated User Authentication, user is prompted to enter username and password. Single Sign-On is not publicly available and we anticipate the configuration method to change significantly in future version.