RM Logo
Technical Rating: 
Support Home PageSupport
Print This PagePrint This Page
Add to 'My Library' Add to 'My Library'

Preparing your network for device single sign-on (SSO) with RM Unify
Published Date : 20 Jul 2015   Last Updated : 16 Nov 2018   Content Ref: TEC4668878  





Symptoms

RM Cloud Service Delivery can assist you with your RM Unify AD Sync installation. For further information, please speak to your Sales representative on 08450 700 300.

The following local configuration is required for RM Unify device single sign-on (DSSO):

  1. RM Unify Network Provisioning, or, RM Unify AD Sync v3.
  2. Enable device SSO in RM Unify.
  3. Set the RM Unify SSO URL as your Internet browsers' landing page*.
  4. Configure Internet browsers to trust https://*.rmunify.com, https://*.google.com and other O365 URLs*. 
  5. Configure user authentication for 'Local intranet' zone*.
  6. Configure website navigation in 'Local intranet'* zone.
  7. In Internet Explorer, turn off compatibility view for intranet sites

* Device SSO is compatible with Edge, Internet Explorer and Chrome. You must configure the Internet Explorer security settings, which are shared by Internet Explorer, Edge and Chrome. Changing your browser settings can be achieved via GPO or your usual network management tool. Further details in each section below.



Cause

**SSO for Azure AD connected devices - coming soon**
Support for device SSO for Azure AD (AAD) joined Windows 10 machines will be coming in an upcoming RM Unify release, due to arrive before the end of the year (2018). This will allow a user to sign in to their Windows 10 device using an AAD account, which will sign them in to RM Unify, and therefore all other joined services, such as Office 365. Further information about this functionality will appear on the RM Unify Roadmap closer to release - https://app.prodpad.com/products/8c63dc10-656f-11e8-9403-5dee1c0f148d/roadmap - and on the RM Blog afterwards - http://www.rm.com/blog/categories/rm-unify.


Requirements

Password synchronisation

To sync user passwords between RM Unify and the local network, one of the following features is required:

  • RM Unify Network Provisioning. Please refer to TEC5797903 in the Other Useful Articles section below for details.
  • RM Unify AD Sync v3. Please refer to DWN3182456 in the Other Useful Articles section below for instructions on how to install or upgrade your existing version.

RM Unify Management Console - SSO settings

Set the RM Unify SSO URL

To benefit from device SSO, users should navigate to a specific URL based on your school's existing RM Unify scope. This will be the existing scope, appended with /sso. For example, if your school's RM Unify scope is https://school.rmunify.com then your SSO URL will be https://school.rmunify.com/sso.

Set the default landing page for your Internet browsers to be your RM Unify SSO URL. 

Depending on your network type, this could be set via GPO or your usual network management tool. If you have a CC4 network please see TEC1710358 in the Other Useful Articles section below. Otherwise, please contact your usual network support provider for assistance with this.


Configure browsers to trust https://*.rmunify.com

Device SSO currently works with Edge, Internet Explorer and Google Chrome.
Add https://*.rmunify.com to the 'Local intranet' zone in your Internet browsers. This will allow the browser to complete automatic login with RM Unify.

Depending on your network type, this could be set via GPO or your usual network management tool. If you have a CC4 network please see TEC4698403 in the Other Useful Articles section below. Otherwise, please contact your usual network support provider for assistance with this.

For Internet Explorer only, please also add the following URLs to the to the 'Local intranet' zone:

https://*.microsoftonline.com
https://*.live.com
https://*.office.com
https://*.sharepoint.com
https://*.office365.com
https://*.google.com


Configure user authentication for 'Local intranet' zone

You must ensure that the following setting is enabled within the 'Local intranet' zone by following the steps below:

  1. Click Tools, 'Internet options'.
  2. Click the Security tab, select the 'Local intranet' zone, click Custom level.
  3. Scroll down to find the User Authentication section.
  4. Under the Logon sub-section, click the 'Automatic logon with current user name and password' radio button.
  5. Click OK, click OK.

Depending on your network type, this setting could be made via GPO or your usual network management tool. If you have a CC4 network please see TEC4698403 in the Other Useful Articles section below. Otherwise, please contact your usual network support provider for assistance with this.

Image showing the 'Automatic logon with current user name and password' radio button

Configure website navigation in 'Local intranet'

To allow uninterrupted single sign-on, with no end user prompts, you must also ensure that the 'Local intranet' zone has 'Websites in less privileged web content zone can navigate into this zone' set to 'Enable':

  1. Click Tools, 'Internet options'.
  2. Click the Security tab, select the 'Local intranet' zone, click Custom level.
  3. Scroll down to find the Miscellaneous section.
  4. Under 'Websites in less privileged web content zone can navigate into this zone' heading, click Enable.
  5. Click OK, click OK.

Depending on your network type, this could also be made via GPO or your usual network management tool. If you have a CC4 network, please see TEC4698403 in the Other Useful Articles section below. Otherwise, please contact your usual network support provider for assistance with this.

Image showing the Enable radio button

In Internet Explorer, turn off compatibility view for intranet sites

Once https://*.google.com has been added to the intranet zone, compatibility mode can break Google's sign in and sign out process. This means a user's G Suite session may remain active even though the user has signed out of RM Unify. To turn off compatibility view for intranet sites:

  1. Click Tools, 'Compatibility view settings'.
  2. Remove the tick from 'Display intranet sites in Compatibility View'.
  3. Click Close.
Image showing compatibility view


Possible Issues

Users are redirected to the RM Unify login page when using the SSO URL

If the user's RM Unify password does not match with their local network (AD) password, then we will detect this and redirect them to the RM Unify sign in page.

To sync a user's password:

  • RM Unify Network Provisioning: When the user next signs in to RM Unify, their password will be synced to the local network. Alternatively, if the user changes their local network password this will be synced to RM Unify.
  • RM Unify AD Sync: The user must change their local network password and this will be synced to RM Unify.

Multiple establishments sharing the same RM Unify scope

This is where multiple schools, whilst having their own discrete RM Unify establishments, actually share a single RM Unify scope (the scope being the portion of the logon identifier following the @ symbol in your RM Unify username), e.g: St Mary's and Our Lady's school share the RM Unify scope @atlasacademy:

In this type of setup, once device SSO has been enabled at one establishment, it is enabled for all. You will find that the tick box on all relevant RM Unify establishments' SSO Settings page is not ticked, but device SSO will be enabled nonetheless.



Other Useful Articles

RM Unify - Using CC4 GPOs to make the browser settings required for device single sign-on (TEC4698403)
RM Unify AD Sync Service v3 (DWN3182456)
Microsoft Edge opens RM Unify in a new Internet Explorer window (TEC5720043)
RM Unify Network Provisioning (TEC5797903)

FEEDBACK
Did the information in this article help answer your question?
 Yes
 No
Please add any comments about this article in the box below. If you answered No then it is important you tell us why so that we can change the article if required. We can only respond if you log in to the RM Support website or provide your contact details. Note: If you need help with a technical query, please log a call online or telephone our support team.
Thank you for your feedback, which is sent directly to the RM Knowledge team. We address every message received with the intention of improving our Knowledge Library articles. If you have an unresolved technical issue, please contact RM Support.


If this article has not helped provide a solution then it is also possible to log a call...



Document Keywords: dsso, device


Please read - important disclaimer information.
http://www.rm.com/_RMVirtual/Includes/csredirect.asp?cref=&title=Standard Content Disclaimer


Top Of PageTop of page