12.3 Enabling Single Sign-on with ESM

You must configure ESM to use OSP Client Only Authentication. If your ESM environment currently uses an external SAML 2 client authentication, you must delegate the Fusion SSO provider to connect to the SAML client. If you do not use SAML 2 authentication, you will need to configure SMTP settings for Fusion to support forgotten password activity. The Fusion capability manages single sign-on functions.

This procedure assumes that you have already installed or upgraded ESM.

  1. Change the authentication settings for the ESM Manager service:

    1. On the ESM server, start the configuration wizard by entering the following command from the /opt/arcsight/manager/bin/ directory:

      arcsight managersetup -i console

    2. Advance through the wizard until you reach the authentication settings.

    3. Select OSP Client Only Authentication, then click Next.

    4. To specify the host and port for the OSP server, use the following format:

      domain_name:port

      For example, Fusion by default installs OSP on port 443. So, when you are using ESM for Fusion, specify the format as <fusion host>:443.

    5. To specify the host and port for the ArcSight Command Center, use the following format:

      domain_name:port

      Example:

      <ESM Manager>:8443

      Typically, the host and port are the same as those for the ArcSight Manager.

    6. Specify a Tenant Name for OSP. If you are using a typical installer for Fusion, enter default.

    7. Click Next until you complete your changes in the wizard.

    8. Restart the ESM Manager service using the following commands:

      /etc/init.d/arcsight_services stop manager
      /etc/init.d/arcsight_services start manager

  2. Change the authentication settings for the ArcSight Console (the Console):

    1. From the Console’s /bin directory, enter one of the following commands:

      On Windows: arcsight.bat consolesetup

      On Linux: ./arcsight consolesetup

    2. Advance through the wizard until you reach the authentication settings.

    3. Select OSP Client Only Authentication.

    4. Click Next until you complete your changes in the wizard.

  3. To configure the SSO settings in the CDF Management Portal, complete the following steps:

    1. Connect to the Portal:

      https://ESM_for_Fusion_server:5443

    2. Log in with the credentials of the administrative user that you provided during installation.

    3. Select FUSION.

    4. Under Single Sign-on Configuration, specify the Client ID and Client Secret.

    5. Under ArcSight ESM Host Configuration, verify the settings for the ESM host and port that were specified during deployment.

  4. (Conditional) To use an external SAML2 authentication method, continue to Integrating Fusion Single Sign-On.

  5. (Conditional) If you do not use an external SAML 2 authentication method, ensure that users can receive email notifications to change their Fusion password. Continue to Connecting to an SMTP Server.