your database front-end

Server Outage Notice: will be transfering to a new Server on Friday 25th @ 7pm MST

Single Sign-on (Enterprise)

Single-Sign-On lets users sign-in once and then access multiple different resources protected by that same authentication service.

SSO (Single-Sign-On) is convenient for users since they don't need to remember, manage and enter multiple sets of credentials.  SSO is often more secure because the security is centralized and better managed.

How Single Sign-On works

When SSO is enabled then dbFront won't show a login screen.  If dbFront encounters a user that needs authentication it will redirect that user to the configured SSO provider.  It is the SSO provider's responsibility to authenticate the user and then return them to dbFront.

dbFront implements SSO using the SAML 2 protocol.  For more details see:

Setting up Single Sign-on

Note: Single Sign-on Authentication is a global setting that overrides other authentication options.  Unlike Active Directory / Windows Authentication or Database Authentication, Single Sign-on can't be limited to specific connections.

Setting up, editing or removing, SSO authentication requires special local server access.  To set up SSO you should:

  1. Directly log-in on, or remote desktop to, the web server hosting dbFront,
  2. Once connected you can run dbFront in a browser with the URL http://localhost/dbFront.  Note: The URL must start with http://localhost,
  3. Login to dbFront using an administrative account (local machine or domain),
  4. From the dbFront main menu click [Help] / [Settings],
  5. From the Settings Dialog click on the "Single-Sign-On" tab.

dbFront - Field Preferences

On the SSO tab, you will be able to select the desired Sign-On provider.  The options available for each vendor are generally the same but dbFront will use the vendor selection to provide customized help.  The screen to the right is shown if no vendor is selected.

Once a vendor is selected, dbFront will show the configuration fields.  The screen below shows the vendor JumpCloud with some suggested settings.  Clicking on the help link will show the vendor-specific help.

dbFront - Field Preferences

  • dbFront Application Id: Vendor unique and often vendor specified ID for your application.
  • Vendor Endpoint URL: Vendor hosted and often application-specific URL to the authentication service for your application.
  • Vendor Public Certificate: If specified, this vendor provided certificate is used to validate vendor authentication responses.
  • Vendor Admin Group: The user group set up at the SSO intended for Admin users.  All members of this group will be given Admin access to dbFront.
  • Logout Redirect URL: dbFront will redirect users to this URL when they log-off from dbFront.
    NOTE: dbFront purposely does not log-out from the entire SSO session.  It only closes the dbFront session and redirects the user to the specified URL.

Testing Single-Sign-On with dbFront

dbFront will record debugging information if there is a login failure.  You can enable extra logging from the setup screen. This can include the full SAML 2 messages. For more details see: Troubleshooting.

dbFront - Field Preferences

When a user is logged in they can see their login details from the user menu at the top right of the screen.  This can be helpful when trying to determine why user access is incorrect. The screen to the right is an example of what you might see.

If you don't currently have an SSO vendor then we suggest signing up for a free JumpCloud account and following the JumpCloud specific setup instructions.  For more details see:

Vendor-Specific Setup instructions

The following vendor-specific instructions are provided for your convenience.   The SSO implementation in dbFront is SAML2 compliant so most vendors are supported even if specific instructions are not provided.

Trouble Shooting

For a list of Single-Sign-On issues and answers see: Single-Sign-On Questions

More Security Options

For more security options see: Authentication Overview

Content you want the user to see goes here.