.. _sso-ksign-ksignaccess: KSign KSignAccess ============================================================ This guide provides the configuration method for performing the integration function between KSignAccess from KSign, an integrated authentication security platform (SSO), and Genian NAC, a network access control system. Overview --------------------------------------------------- Before integration between Genian NAC and KSignAccess products, users experienced inconvenience performing separate user authentication for each product. However, **after integration, SSO is implemented between the two products, so when a user performs user authentication for KSignAccess, user authentication is automatically processed in Genian NAC.** Genian NAC agent plugin is configured to decrypt encrypted authentication token values on the user's PC using a separate program provided by KSign. After verifying user authentication status, it allows network utilization in a normal authenticated state. Through this process, users are provided the convenience of performing the login process for both products with just one login. **Recommended Versions** .. csv-table:: :header: "Product Name (Component)", "Version", "Notes" :widths: 30 30 40 "Genian NAC (Policy Server)", "V5.0 or higher", "Release version after 2019.03" "Genian NAC (Agent)", "V5.0 or higher", "Release version after 2020.07" "KSignAccess", "V4.0 or higher", "Release version after 2020.06" Purpose of Integration --------------------------------------------------- The integration of Genian NAC and KSign KSignAccess provides the following effects. **SSO Environment Provision** - The user first proceeds with user authentication in KSignAccess, and Genian NAC user authentication is automatically performed through Genian NAC agent plugin integration. Genian NAC replaces user authentication in Genian NAC based on KSignAccess's user authentication status, thereby configuring an SSO environment. **Automatic Connection to Network Blocking Reason and Guide Page for Unauthenticated KSignAccess Users** - Genian NAC informs unauthenticated KSignAccess users of the reason for network blocking and provides a guide page on how to take action for normal network usage. Prerequisites --------------------------------------------------- **Prepare Genian NAC Agent Plugin for Integration** Genian NAC utilizes a specially developed Genian NAC agent plugin for implementing user authentication integration to achieve SSO with KSignAccess. The plugin information is as follows: .. csv-table:: :header: "Genian NAC Agent Plugin File Name", "Notes" :widths: 50 50 "NAC-C_KsignSSO-R-89872-1.1.8.gpf (detailed version may vary)", "Genian NAC Agent V5.0 or higher (Release version after 2020.07)" Genian NAC Configuration for Integration --------------------------------------------------- This section covers only the minimum necessary Genian NAC settings for integration with KSignAccess. Perform this operation only once; it will be automatically applied thereafter. **Step 1: Upload Agent Plugin for Integration** 1) In Genian NAC Web Console, go to **System > Update > Genian Software > Agent Plugin** menu 2) Click **Tasks > Upload Plugins > Select File** button to select **NAC-C_KsignSSO-R-89872-1.1.8.gpf** plugin to upload. 3) Click **Upload** button. **Step 2: Agent Plugin Configuration** 1) In Genian NAC Web Console, go to **Policy > Node Policy > Agent Action** menu. 2) Click **KSign Alternative Authentication** plugin. 3) In **Action Execution Settings**, enter setting values as follows: .. csv-table:: :header: "Configuration Item", "Setting Value", "Notes" :widths: 15 30 55 "Integration Scope", "Select from ``Login``, ``Login/Logout``", "``Login/Logout`` option means after login, Genian NAC continuously verifies authentication status with KSignAccess. If logged out from KSignAccess, it processes logout" "", "", "``Login`` option means after the initial SSO login, it does not further share login information with KSignAccess and follows Genian NAC's authentication renewal cycle" **Step 3: Configure Node Policy for Integration Function Application** Through the following process, using Genian NAC's agent plugin, user PC and server authentication for normal communication confirmation and user authentication confirmation, create a policy to allow network access. 1) In Genian NAC Web Console, go to **Policy > Node Policy** menu 2) Click the **Node Policy** containing the **node group** (e.g., all nodes) to which user authentication integration will be applied (if applying to a specific group only, create and use a separate node group) 3) Go to **Advanced > Authentication Policy > Single Sign-On Method** and select **External API** from the select box 4) Go to **Agent Action** at the bottom and click **Assign** button 5) Move **KSign Alternative Authentication** node action to the right and click **Add** button 6) Click **Update** button at the bottom 7) Click **Apply Change Policy** button at the top right to apply policy