Configuring Single Sign-On (SSO)

You can configure CxSAST to automatically use the Windows credentials of the user that is logged on to Windows, so that registered domain users do not need to independently log into CxSAST.

  • Single sign-on authentication is available only to Active Directory users.
  • The instructions below apply to IIS 8, 8.5 and 10.

To configure single sign-on (SSO):

 1. Make sure that the CxSAST server is in the organizational domain.

 2. On the CxSAST server, activate IIS Windows Authentication. In a distributed deployment, you have to activate IIS Windows Authentication on the CxManager. 

 Activate IIS Windows Authentication

1. Open Turn Windows features on or off (you can find it from the Windows search bar) or in Windows Server Manager > Manage > Add Roles and Features.

2. Under Internet Information ServicesWorld Wide Web Services or Web Server (IIS) > Web Server, select Security > Windows Authentication and install.

 3. Open the IIS Manager, and apply Windows Authentication to the CxSAST web services. 

 Do one of the following for CxWebClient, CxWebInterface and CxRestAPI

1. In the left-hand Connections pane, navigate to and select the 'Default Web Site' web service and in the IIS section, double-click Authentication. 

  • By default the following web applications are installed under 'Default Web Site' :  
    These applications inherit the changes outlined below.
    If the web applications are on a custom IIS Site, make the change on that site.

2. Right-click Windows Authentication and select Enable.

  • If the Windows authentication is Kerberos:
    1. Right-click Windows Authentication and select Providers.
    2. Under Available Providers, add Negotiate, if not already listed.
    3. Move Negotiate above NTLM.
    4. Click OK.
  • In the IIS, set useAppPoolCredentials to True:   
    1. Select the  'Default Web Site''
    2. Under Management, double-click [Configuration Editor] and set 'useAppPoolCredentials' to True under this section: system.webServer/security/authentication/windowsAuthentication

3. If your Cx Application Pools ( CxAccessControl, CxClientPool, CxPool, and CxPoolRestAPI ) Login Identity is configured for a 'Custom Domain Service Account' (login service account), modify as follows:

  1. Select the 'Default Web Site\CxRestAPI\auth' application
  2. Under Management, double-click [Configuration Editor] and set 'useAppPoolCredentials' to False under this section: system.webServer/security/authentication/windowsAuthentication

 4. On the CxSAST server, open the following file for editing:
          <Installation path>\Checkmarx\CheckmarxWebPortal\Web\web.config, for example C:\Program Files\Checkmarx\CheckmarxWebPortal\Web\web.config

 5. Under <appSettings>, navigate to the UseSSOLogin key, and change its value to true as noted below:
          <add key="UseSSOLogin" value="true"/>

CxSAST Active Directory users who are logged on to Windows can now access CxSAST without logging on to CxSAST separately.