.. _sso-ubintis-passni: UbintisLab PassNI SSO ================================================= This guide provides the configuration method for performing the integration function between UbintisLab PassNI SSO, an integrated authentication security platform (SSO), and Genian NAC, a network access control system. Overview ------------------------------------------------- When configuring Pass-Ni integration with Genian NAC, the general operating process consists of Pass-Ni login > Genian NAC login. Before integration between Genian NAC and Pass-Ni products, users needed a separate login process for Genian NAC when accessing the internal network after Pass-Ni login. However, when configured for integration, users are automatically logged into Genian NAC simply by logging into Pass-Ni. **Recommended Versions** .. csv-table:: :header: "Product Name (Component)", "Version", "Notes" :widths: 30 30 40 "Genian NAC (Policy Server)", "V5.0 or higher", "Release version after 2019.03" "Genian NAC (Agent)", "V5.0.17 or higher", "Release version after 2019.03" "Pass-NI", "4.0 or higher", "Release version after 2019.03" Purpose of Integration ------------------------------------------------- The integration of Genian NAC and UbintisLab's Pass-Ni provides the following effects. **SSO Environment Provision** - The Genian NAC agent is configured to utilize Pass-Ni's authentication information, checking user authentication status with the Pass-Ni server to allow authenticated users to utilize the network without additional Genian NAC authentication. **Automatic Connection to Network Blocking Reason and Guide Page for Unauthenticated Pass-Ni Users** - Genian NAC informs unauthenticated Pass-Ni users of the reason for network blocking and provides a guide page on how to take action for normal network usage. (The form of the guide page may differ when integrating with Saeol System, etc.) Prerequisites ------------------------------------------------- **Prepare Genian NAC Agent Plugin for Integration** Genian NAC utilizes a specially developed Genian NAC agent plugin for implementing user authentication integration to achieve SSO with Pass-Ni. The plugin information is as follows: .. csv-table:: :header: "Genian NAC Agent Plugin File Name", "Notes" :widths: 50 50 "NAC-C_PassNiSSO-R-89967-1.1.8.gpf (detailed version may vary)", "Genian NAC Agent V5.0 or higher (2020.08 Release 이후 버전)" **Issuing License Key and API Calling Tool for Pass-Ni SSO User Endpoints** 1. API calling tool for Pass-Ni user endpoints' user information (Distributed in the form of **SSO-CS-API-getUserInfo.zip** or similar) 2. License Key for using Pass-Ni SSO Integration Library (Each institution's Pass-Ni provides a separate license key, such as *3130312XXXXE352XXXX3*.) Genian NAC Configuration for Integration ------------------------------------------------- This section covers only the minimum necessary Genian NAC settings for integration with Pass-Ni. Perform this operation only once; it will be automatically applied thereafter. **Step 1: Upload Agent Plugin for Integration** 1) In Genian NAC Web Console, go to **System > Update > Genian Software > Agent Plugin** menu 2) Click **Tasks > Upload Plugins > Select File** button to select **NAC-C_PassNiSSO-R-89967-1.1.8.gpf** plugin to upload. 3) Click **Upload** button. **Step 2: Agent Plugin Configuration** 1) In Genian NAC Web Console, go to **Policy > Node Policy > Agent Action** menu. 2) Click **PassNi Alternative Authentication** plugin. 3) In **Action Execution Settings**, enter setting values as follows: .. csv-table:: :header: "Configuration Item", "Setting Value", "Notes" :widths: 15 30 55 "License Key", "*3130312XXXXE352XXXX3* (example input value)", "Enter the key provided by each institution for using the authentication integration library" "Integration Scope", "Select from ``Login``, ``Login/Logout``", "Refer to **Login/Logout** option description below" .. note:: **Login/Logout Options** 1) ``Login/Logout`` option means after login, Genian NAC continuously verifies authentication status with Pass-Ni. If logged out from Pass-Ni, it processes logout. 2) ``Login`` option means after the initial SSO login, it does not further share login information with Pass-Ni and follows Genian NAC's authentication renewal cycle. **Step 3: Configure Node Policy for Integration Function Application** Through the following process, using Genian NAC's agent plugin, after confirming normal communication for authentication between the user PC and the server and verifying user authentication status, create a policy to allow network access. 1) In Genian NAC Web Console, go to **Policy > Node Policy** menu 2) Click the **Node Policy** containing the **node group** (e.g., all nodes) to which user authentication integration will be applied (if applying to a specific group only, create and use a separate node group) 3) Go to **Advanced > Authentication Policy > Single Sign-On Method** and select **External API** from the select box 4) Go to **Agent Action** at the bottom and click **Assign** button 5) Move **PassNi Alternative Authentication** node action to the right and click **Add** button 6) Click **Update** button at the bottom 7) Click **Apply Change Policy** button at the top right to apply policy