SSO Guidelines for the Firewall Management Center

Keep the following in mind when you configure a Firewall Management Center to be a member of an SSO federation:

  • The Firewall Management Center can support SSO with only one SSO provider at a time—you cannot configure the Firewall Management Center to use, for instance, both Okta and OneLogin for SSO.

  • Firewall Management Center Firewall Management Centers in a high availability configuration can support SSO, but you must keep the following considerations in mind:

    • SSO configuration is not synchronized between the members of the high availability pair; you must configure SSO separately on each member of the pair.

    • Both Firewall Management Centers in a high availability pair must use the same IdP for SSO. You must configure a service provider application at the IdP for each Firewall Management Center configured for SSO.

    • In a high availability pair of Firewall Management Centers where both are configured to support SSO, before a user can use SSO to access the secondary Firewall Management Center for the first time, that user must first use SSO to log into the primary Firewall Management Center at least once.

    • When configuring SSO for Firewall Management Centers in a high availability pair:

      • If you configure SSO on the primary Firewall Management Center, you are not required to configure SSO on the secondary Firewall Management Center.

      • If you configure SSO on the secondary Firewall Management Center, you are required to configure SSO on the primary Firewall Management Center as well. (This is because SSO users must login into the primary Firewall Management Center at least once before logging into the secondary Firewall Management Center.)

  • In a Firewall Management Center that uses multi-tenancy, the SSO configuration can be applied only at the global domain level, and applies to the global domain and all subdomains.

  • Only users with the Admin role authenticated internally or by LDAP or RADIUS can configure SSO.

  • The Firewall Management Center does not support SSO initiated from the IdP.

  • The Firewall Management Center does not support logging in with CAC credentials for SSO accounts.

  • Do not configure SSO in deployments using CC mode.

  • SSO activities are logged in the Firewall Management Center audit log with Login or Logout specified in the Subsystem field.