RM Logo
Technical Rating: 
Support Home PageSupport
Print This PagePrint This Page
Add to 'My Library' Add to 'My Library'

Preparing your network for device single sign-on (SSO) with RM Unify
Published Date : 20 Jul 2015   Last Updated : 14 Sep 2017   Content Ref: TEC4668878  





Symptoms

The following local configuration is required for RM Unify device single sign-on (SSO):

  1. RM Unify Network Provisioning, or, RM Unify AD Sync v3.
  2. Enable device SSO in RM Unify.
  3. Set the RM Unify SSO URL as your Internet browsers' landing page*.
  4. Configure Internet browsers to trust https://*.rmunify.com* - device SSO is compatible with Edge, Internet Explorer and Chrome. 
  5. Configure user authentication for 'Local intranet' zone*.
  6. Configure website navigation in 'Local intranet'* zone.

* These settings can be achieved via GPO or your usual network management tool. Further details in each section below.



Requirements

Password synchronisation

To sync user passwords between RM Unify and the local network, one of the following features is required:

  • RM Unify Network Provisioning. Please refer to TEC5797903 in the Other Useful Articles section below for details.
  • RM Unify AD Sync v3. Please refer to DWN3182456 in the Other Useful Articles section below for instructions on how to install or upgrade your existing version.

RM Unify Management Console - SSO Setings

Set the RM Unify SSO URL

To benefit from device SSO, users should navigate to a specific URL based on your school's existing RM Unify scope. This will be the existing scope, appended with /sso. For example, if your school's RM Unify scope is https://school.rmunify.com then your SSO URL will be https://school.rmunify.com/sso.

Set the default landing page for your Internet browsers to be your RM Unify SSO URL. 

Depending on your network type, this could be set via GPO or your usual network management tool. If you have a CC4 network please see TEC1710358 in the Other Useful Articles section below. Otherwise, please see your usual network support provider for assistance with this.


Configure browsers to trust https://*.rmunify.com

Device SSO currently works with Edge, Internet Explorer and Google Chrome.
Add https://*.rmunify.com to the 'Local intranet' zone in your Internet browsers. This will allow the browser to complete automatic login with RM Unify.

Depending on your network type, this could be set via GPO or your usual network management tool. If you have a CC4 network please see TEC4698403 in the Other Useful Articles section below. Otherwise, please see your usual network support provider for assistance with this.


Configure user authentication for 'Local intranet' zone

You must ensure that the following setting is enabled within the 'Local intranet' zone by following the steps below:

  1. Click Tools, 'Internet options'.
  2. Click the Security tab, select the 'Local intranet' zone, click Custom level.
  3. Scroll down to find the User Authentication section.
  4. Under the Logon sub-section, click the 'Automatic logon with current user name and password' radio button.
  5. Click OK, click OK.

Depending on your network type, this setting could be made via GPO or your usual network management tool. If you have a CC4 network please see TEC4698403 in the Other Useful Articles section below. Otherwise, please see your usual network support provider for assistance with this.

Image showing the 'Automatic logon with current user name and password' radio button

Configure website navigation in 'Local intranet'

To allow uninterrupted single sign-on, with no end user prompts, you must also ensure that the 'Local intranet' zone has 'Websites in less privileged web content zone can navigate into this zone' set to 'Enable':

  1. Click Tools, 'Internet options'.
  2. Click the Security tab, select the 'Local intranet' zone, click Custom level.
  3. Scroll down to find the Miscellaneous section.
  4. Under 'Websites in less privileged web content zone can navigate into this zone' heading, click Enable.
  5. Click OK, click OK.

Depending on your network type, this could also be made via GPO or your usual network management tool. If you have a CC4 network, please see TEC4698403 in the Other Useful Articles section below. Otherwise, please see your usual network support provider for assistance with this.

Image showing the Enable radio button


Possible Issues

Users are redirected to the RM Unify login page when using the SSO URL

If the user's RM Unify password does not match with their local network (AD) password, then we will detect this and redirect them to the RM Unify sign in page.

To sync a user's password:

  • RM Unify Network Provisioning: When the user next signs in to RM Unify, their password will be synced to the local network. Alternatively, if the user changes their local network password this will be synced to RM Unify.
  • RM Unify AD Sync: The user must change their local network password and this will be synced to RM Unify.

Multiple establishments sharing the same RM Unify scope

This is where multiple schools, whilst having their own discrete RM Unify establishments, actually share a single RM Unify scope (the scope being the portion of the logon identifier following the @ symbol in your RM Unify username e.g:
St Mary's and Our Lady's school share the RM Unify scope @theargos
Jason Gash at St Mary's has the username jasong@theargos
Sarah Brockbank at Our Lady's has the username sarahb@theargos

In this type of setup, once device SSO has been enabled at one establishment, it is enabled for all. You will find that the check box on all relevant RM Unify establishment's SSO Settings page is not checked, but device SSO will be enabled nonetheless.



Other Useful Articles

RM Unify - Using CC4 GPOs to make the browser settings required for device single sign-on (TEC4698403)
RM Unify AD Sync Service v3 (DWN3182456)
Microsoft Edge opens RM Unify in a new Internet Explorer window (TEC5720043)
RM Unify Network Provisioning (TEC5797903)

FEEDBACK
Did the information in this article help answer your question?
 Yes
 No
Please add any comments about this article in the box below. If you answered No then it is important you tell us why so that we can change the article if required. We can only respond if you log in to the RM Support website or provide your contact details. Note: If you need help with a technical query, please log a call online or telephone our support team.
Thank you for your feedback, which is sent directly to the RM Knowledge team. We address every message received with the intention of improving our Knowledge Library articles. If you have an unresolved technical issue, please contact RM Support.


If this article has not helped provide a solution then it is also possible to log a call...



Document Keywords: dsso, device


Please read - important disclaimer information.
http://www.rm.com/_RMVirtual/Includes/csredirect.asp?cref=&title=Standard Content Disclaimer


Top Of PageTop of page