Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. IT Analytics Security and Encryption Reference
  3. User Identity and Access Management
  4. User authentication via single sign-on (SSO)
IT Analytics Security and Encryption Reference

User authentication via single sign-on (SSO)

IT Analytics supports Single Sign On (SSO) for a standard unified login. User authentication is performed through an external Identity Management Server allowing for an increased level of security for user passwords and identity details. Hence, Single Sign-on requires SSL-enabled IT Analytics Portal, an external Identity Provider (IDP), and an external LDAP directory.

Single sign-on (SSO) prerequisites
  • IT AnalyticsPortal must be SSL enabled (https protocol) using SSL certificates with the following properties:

    • Signature algorithm name: SHA256 with RSA

    • Subject public key algorithm: 2048-bit RSA key

  • An external Identity Provider (IDP) that supports SAML 2.0

  • SSL certificate must be added to the Portal Keystore using the Keystore Utility (deployCert)

Set up external identity provider (IDP) server

For the IDP to communicate with the IT Analytics Portal, an LDAP directory is configured on the external server for user management. Certain attributes must be populated for each user will log in to the Portal. Users must also belong to at least one group.

Users and groups in the external LDAP directory

Set the following attributes for each user in the external LDAP directory. For each attribute, the properties name and friendlyName must be present and have values populated. These attributes must be exposed by both the external LDAP directory and the IDP server. The names of attributes are as follows:

  • displayName: <first_name> <last_name> For example Jane Smith

  • email: email address

  • mobile: cell phone or mobile number

  • telephoneNumber: work phone or home phone number

  • sAMAccountName: the unique user name that is used as a login

  • memberOf: List of group names to which the user belongs.

    Note:

    The attribute memberOf requires customization for a Microsoft Azure IDP. It is recommended to set Groups Assigned to the application instead of All groups or Security groups for "memberOf" attribute. Click here for more details.

Before using SSO to log into the Portal, an external user must belong to one external directory group that also exists as a User Group in the IT Analytics Portal. If the setup criteria is met, when the user logs into the Portal for the first time, the user's profile is synchronized from the external directory. The user also inherits all privileges assigned to the User Group.

Registration with the IDP server

The registration process occurs by exchanging metadata XML files between the IT Analytics Portal and the IDP server. On the Portal side, once SSO is configured and the Portal Tomcat service restarted, you can download the metadata XML file and provide it to the IDP server. This file contains the SSL certificate and identifies the IT Analytics as a service provider for SSO. A similar metadata XML file must be downloaded from the IDP server and provided to the Portal.

See the Configure single sign-on (SSO) using security assertion markup language (SAML) in IT Analytics System Administration guide.

Feedback

Was this page helpful?
Previous

Domains

Next

AD/LDAP Configuration

Feedback

Was this page helpful?