RM Cloud Service Delivery can assist you with your RM Unify AD Sync installation. For further information, please speak to your Sales representative on 01235 645 316 or email getintouch@rm.com, quoting this article.

The following local configuration is required for RM Unify device single sign-on (DSSO):

1. RM Unify Network Provisioning, or, RM Unify AD Sync (v3 or later).
2. Enable device SSO in RM Unify.
3. Set the RM Unify SSO URL as your Internet browsers' landing page*.
4. Configure Internet browsers to trust https://*.rmunify.com, https://*.google.com and other Microsoft 365 (M35) URLs*.
5. Configure user authentication for 'Local intranet' zone*.
6. Configure website navigation in 'Local intranet'* zone.
7. In Internet Explorer, turn off compatibility view for intranet sites

*Device SSO is compatible with Microsoft® Edge (including Chromium), Windows® Internet Explorer and Chrome. You must configure the Internet Explorer security settings, which are shared by Internet Explorer, Edge and Chrome. Changing your browser settings can be achieved via GPO or your usual network management tool. Further details can be found in each of the sections below.

To sync user passwords between RM Unify and the local network, one of the following features is required:

• RM Unify Network Provisioning: Please refer to TEC5797903 in the Other Useful Articles section below for details.
• RM Unify AD Sync (v3 or later): Please refer DWN3182456 in the Other Useful Articles section below for instructions on how to install or upgrade your existing version.

• Navigate to https://launchpad.rmunify.com/ManagementConsole/SSOSettings and tick the 'Enable single sign on' box.

To benefit from device SSO, users should navigate to a specific URL based on your school's existing RM Unify scope. This will be the existing scope, appended with /sso. For example, if your school's RM Unify scope is https://school.rmunify.com then your SSO URL will be https://school.rmunify.com/sso.

Set the default landing page for your Internet browsers to be your RM Unify SSO URL. 

Depending on your network type, this could be set via GPO or your usual network management tool. If you have a CC4 network please see TEC1710358 in the Other Useful Articles section below. Otherwise, please contact your usual network support provider for assistance with this.

Device SSO currently works with Edge, Internet Explorer and Google Chrome.

Add https://*.rmunify.com to the 'Local intranet' zone in your Internet browsers. This will allow the browser to complete automatic login with RM Unify.

Depending on your network type, this could be set via GPO or your usual network management tool. If you have a CC4 network please see TEC4698403 in the Other Useful Articles section below. Otherwise, please contact your usual network support provider for assistance with this.

For Internet Explorer only, please also add the following URLs to the to the 'Local intranet' zone:

• https://*.microsoftonline.com
• https://*.live.com
• https://*.office.com
• https://*.sharepoint.com
• https://*.office365.com
• https://*.google.com

You must ensure that the following setting is enabled within the 'Local intranet' zone by following the steps below:

1. Click Tools, 'Internet options'.
2. Click the Security tab, select the 'Local intranet' zone, click Custom level.
3. Scroll down to find the User Authentication section.
4. Under the Logon sub-section, click the 'Automatic logon with current user name and password' radio button.
5. Click OK, OK.

Depending on your network type, this setting could be made via GPO or your usual network management tool. If you have a CC4 network, please see TEC4698403 in the Other Useful Articles section below. Otherwise, please contact your usual network support provider for assistance with this.

To allow uninterrupted single sign-on, with no end user prompts, you must also ensure that the 'Local intranet' zone has 'Websites in less privileged web content zone can navigate into this zone' set to 'Enable':

1. Click Tools, 'Internet options'.
2. Click the Security tab, select the 'Local intranet' zone, click Custom level.
3. Scroll down to find the Miscellaneous section.
4. Under 'Websites in less privileged web content zone can navigate into this zone' heading, click Enable.
5. Click OK, OK.

Depending on your network type, this could also be made via GPO or your usual network management tool. If you have a CC4 network, please see TEC4698403 in the Other Useful Articles section below. Otherwise, please contact your usual network support provider for assistance with this.

Once https://*.google.com has been added to the intranet zone, compatibility mode can break Google's sign in and sign out process. This means a user's Google Workspace session may remain active even though the user has signed out of RM Unify. To turn off compatibility view for intranet sites:

1. Click Tools, 'Compatibility view settings'.
2. Remove the tick from 'Display intranet sites in Compatibility View'.
3. Click Close.

Cause 1: If the user's RM Unify password does not match with their local network (AD) password, then we will detect this and redirect them to the RM Unify sign in page.

To sync a user's password:

• RM Unify Network Provisioning: When the user next signs in to RM Unify, their password will be synced to the local network. Alternatively, if the user changes their local network password, this will be synced to RM Unify.
• RM Unify AD Sync: The user must change their local network password and this will be synced to RM Unify.

Cause 2: Internet Explorer configured to 'Start with tabs from the last session'.

• For Internet Explorer only, under Options, General, ensure that the Startup option is configured to 'Start with home page'.

This setting can be delivered via the 'Internet & Email GPO', Administrative Templates, Windows Components, Internet Explorer, General Page, Start Internet Explorer with tabs from last browsing session (set to Disable).

Cause 3: The version of Password Filter on the network is v2 or earlier.

• On each domain controller on the network, ensure that the version of Password Filter is v3.0.50.0 or later.
• Follow TEC5797917 in Other Useful Articles section below to upgrade Password Filter, if required.

Cause 4: The RMUnifyADSyncCert.cer file in C:\Program Files\RM\RM Unify Password Filter\RMNetIdentityQueue on each domain controller is either missing or is 0k in size, indicating a corrupted file.

• Copy the RMUnifyADSyncCert.cer file from another domain controller, ensuring it is 1k in size.
• Alternatively, contact RM Support who can provide the file for you.

Cause 5: Multiple establishments sharing the same RM Unify scope.

This is where multiple schools, whilst having their own discrete RM Unify establishments, have been customised to actually share a single RM Unify scope (the scope being the portion of the logon identifier following the '@' symbol in your RM Unify username), e.g. St Mary's and Our Lady's school share the RM Unify scope '@atlasacademy':

• John Galt at St Mary's has the username johng@atlasacademy.
• Dagny Taggart at Our Lady's has the username dagnyt@atlasacademy.

In this type of setup, once device SSO has been enabled at one establishment, it is enabled for all. You will find that the box on all relevant RM Unify establishments' SSO Settings page is not ticked, but device SSO will be enabled nonetheless.

• The browsers compatible with Entra ID SSO are Edge, Internet Explorer and Chrome.
• The homepage for Entra ID devices should be set to: https://<RM_Unify_scopename>.rmunify.com/sso/entra
  Note: Devices configured with the previous URL of '/sso/aad' will continue to work.
• Additionally for Chrome:
  • the Microsoft Single Sign On extension must be installed
  • and, as per this Google support article, the device will need the following reg key set to 1 (Enabled) - Software\Policies\Google\Chrome\CloudAPAuthEnabled