Single Sign-On Overview
Federated User Authentication with Single Sign-On enables organizations to use their own Identity Provider (IDP) as the source to verify the identity and to authenticate a user before permitting them to select remote workstation. Once the desired workstation is selected, the user does not need to authenticate and directly connects to the remote workstation.
This has been tested against Okta and ADFS. In most IDPs, the settings include terms like:
- Creating an App Integration
- OAuth2 or OIDC or OpenId Connect sign-in method
- Native Application application type
- The Grant type is Authorization Code
- And the redirect URL would be: pcoip://oauth/
To use the Federated Authentication Functionality, you must meet the following criteria:
- Access to Anyware Manager as a Service
- HP PCoIP Client version 23.01.0 or later
- HP PCoIP Windows Agent 23.01.0 or later (SSO is not supported on Linux or MacOS in 23.01)
- An Identity Provider that supports OAuth2
- Ubuntu Connector v147 or later with access to an Identity Provider
- Anyware Connector-RHEL/Rocky Linux 23.06 or later
Post Configuration User Workflow¶
After completing the Federated Authentication configuration, the user workflow will be as follows:
- You can open the PCoIP Client and select a Connector or a broker from the list of connections.
- The default web browser opens to a login page for the respective Identity Provider for user authentication.
- The PCoIP Client requests another layer of user authentication to display the list of available remote workstations.
- The PCoIP Client presents the user with their list of desktops or pools to select from.
- The user enters their PCoIP session with their remote desktop.
- The PCoIP Session is initiated with the remote desktop.
Configuring IDP for Single Sign-On
Before you start preparing for Single Sign-On, ensure that you configure an IDP to enable Federated Authentication. We recommend configuring Okta or Azure Active Directory as your identifty provider.
SSO for Anyware Manager
Single Sign-On supports alternative credential. Should the PCoIP Agent not support Federated User Authentication, user is prompted to enter username and password. Single Sign-On is not publicly available and we anticipate the configuration method to change significantly in future version.