Since TOS Aurora 22-1, there is an option to use a Single Sign On (SSO) for SecureTrack and SecureChange / SecureApp. In new installations, this feature is enabled by default, but in upgraded installations, this feature needs to be enabled manually. This is quite easy, following Tufin Knowledge Base. If SSO is turned on, there is no additional authentication required if a user changes from e.g. SecureTrack to SecureChange.

Enable SSO

To activate SSO access to the command line is necessary. Additionally, administrative permissions are needed (e.g. root or the use of sudo). This command enables SSO:

[Tufin]$ sudo tos config set -p tos.sso.enabled=true

After this action, SSO is active and the login screen shows "Tufin Orchestration Suite".

Sometimes it's useful, to disable SSO (see below).

Disable SSO

Disabling the optional SSO is done using this command with administrative permissions at the CLI (e.g. root or the use of sudo):

[Tufin]$ sudo tos config set -p tos.sso.enabled=false

After this command, a separate login screen is shown for SecureTrack and/or SecureChange - as it has been before for many years.


Items to consider when using SSO for SecureTrack and SecureChange

  • The login using the portal shown above requires the user to be configured in SecureTrack.
    If a user is configured in SecureChange only (e.g. Approver, Auditor), a successful login is not possible.
    So these users need to be configured in SecureTrack also (but don't need any permission to view any device).

  • If a disclaimer is required, there is only one possibility to configure it (see also here).

  • If external Servers for authentication are used, please be aware of which server is needed and where users need to be configured. (Special AD branches for user/admin used in SecureTrack vs. separate LDAP authentication in SecureChange).

  • The "old" SSO option for SecureChange is no more supported if SSO for SecureTrack/SecureChange is configured.
    So if a portal is used for SecureChange authentication, this needs to be migrated to use SAML-based authentication.

    > added May, 30th, 2023:
    If you want to use SAML, please consider that there is no support for integration with SAML IDP IBM.