Scenario for Single Sign-On (SSO) technology usage preparations

When working in combination with Kaspersky Security Center, you can use Single Sign-On (SSO) technology. This enables users that already logged in to the Kaspersky Security Center Web Console to also successfully complete authentication when connecting to the Kaspersky Industrial CyberSecurity for Networks Server through the web interface. This means that any user accounts that are allowed to work with the Kaspersky Security Center Web Console (including Active Directory users) can connect to the Server using their own account credentials.

Single Sign-On technology is available for use with Kaspersky Industrial CyberSecurity for Networks in the compatible versions of Kaspersky Security Center:

The Single Sign-On (SSO) technology usage preparations scenario consists of the following steps:

1. Verifying and fulfilling the required conditions for interaction between Kaspersky Industrial CyberSecurity for Networks and Kaspersky Security Center

   At this step, you need to verify fulfillment of all conditions for interaction between Kaspersky Industrial CyberSecurity for Networks and Kaspersky Security Center. If any of the conditions is not fulfilled, ensure that they get fulfilled. For example, if the functionality for interacting with Kaspersky Security Center is not configured in Kaspersky Industrial CyberSecurity for Networks, enable and configure this functionality.

2. Enabling and configuring the Kaspersky Security Center Web Console Identity and Access Manager (IAM) component

   At this step, the scenario for enabling Identity and Access Manager is executed as described in the Kaspersky Security Center Help System.

   When configuring the IAM component, it is recommended to specify the DNS name of the computer as the network name of the device only if the computer is accessible by this name from the Kaspersky Industrial CyberSecurity for Networks Server computer. If it is accessible only by IP address, specify this IP address instead of the DNS name.

3. Registering the Kaspersky Industrial CyberSecurity for Networks Server as a client for the IAM component

   At this step, the IAM component detects Kaspersky Industrial CyberSecurity for Networks Servers that are prepared for registration as clients for this component. You need to accept the request for Server registration after it is detected. Detected and registered clients of the IAM component are displayed in a table that you can open in the Kaspersky Security Center Web Console under Console settings → Integration → Identity and Access Manager. To register Servers, open the table by clicking the Settings link in the section containing information about registered clients, select the check boxes next to the relevant Servers, and click Approve.

   After you have confirmed registration of the IAM component client, you need to wait for the preparation process to finish. When synchronization between the IAM component and the client is completed, the ready status will be displayed for this client. If the status has not changed, click the Update button.

   The IAM component needs some time to detect clients and synchronize with them. Depending on the workload of the Kaspersky Security Center Administration Server and the Kaspersky Industrial CyberSecurity for Networks Server, it may take up to 15 minutes to complete these actions.

4. Preparing users with access permissions for connecting to Kaspersky Industrial CyberSecurity for Networks

   At this step, you need to grant access permissions to Kaspersky Security Center users corresponding to the Administrator and Operator roles of Kaspersky Industrial CyberSecurity for Networks. For this purpose, you can use existing user accounts or new accounts of users and groups that were created specifically for granting only these permissions.

When this scenario is fulfilled, Kaspersky Industrial CyberSecurity for Networks will have the capability to connect to the Server through the web interface using the account credentials of Kaspersky Security Center users. To do so, you can use the Kaspersky Security Center user button on the account credentials input page for the Kaspersky Industrial CyberSecurity for Networks web interface.

If a fully qualified domain name (FQDN) was specified for the web server and the REST API server when configuring the connection settings using Kaspersky Security Center Web Console, then when connecting to the Kaspersky Industrial CyberSecurity for Networks Server using single sign-on technology, the user must also specify this name in the address bar of the browser.