HP Integrated Lights-Out Security, 7th edition
17
Single Sign-On
iLO v1.90, iLO 2 and iLO 3 support Systems Insight Manager (SIM) Single Sign-On (SSO). SIM SSO
allows direct access to iLO through HP SIM without requiring an extra iLO login step. The user’s HP
SIM role determines the user’s iLO rights. iLO 2 will trust SIM and users authenticated by SIM. The
SIM SSO implementation uses a trusted certificate model for iLO to allow authentication to users from
within the SIM framework.
Adding the BladeSystem Integrated Manager 2.4 or later provides SSO capability for iLO processors
in server blades.
SIM SSO gives you the following capabilities:
• Importing one or more SIM certificates
• Importing automatic certificate to ease initial setup
• Importing manual SSO certificate
• Mapping SIM role to user privilege
• Redirecting to the SIM console for SSO
• Modifying iLO login process to support automatic login from supported SIM SSO redirections
Figure 11 illustrates the authentication process from within the SIM framework:
1. The user logs-in to HP Systems Insight Manager Central Management Server.
2. The user follows a link in HP SIM. This link initiates the SSO connection.
3. iLO generates a timed, one-time secret to prevent replay attacks.
4. HP SIM builds a signed link including the resource, secret, user, and HP SIM.
5. Client browser redirects to the link at the iLO processor.
6. iLO validates the request based on the request contents, iLO configuration, secret, and HP SIM
source. Authenticated requests receive the resource.
SIM SSO does not affect the local iLO user. SSO trust is iLO-based and iLO can determine the SSO
status by server name, certificate, or both. HP recommends using certificates. Certificates must be
imported to iLO. There is limited space to store certificates, so once the buffer fills, new records
replace the oldest certificate data.