We would like to see this too. RADIUS would probably be the easiest to implement whilst supporting the largest amount of services. I know Duo, Okta and Jumpcloud all either support RADIUS or have a RADIUS connector
We need AD-SSO on Prem.
If Windows account is loged on, why not using this AD Session?
Providing the Windows Password within RoyalTS Client is a pain.
To store this securely, the application Doc has to be encrypted, with a password the user has to type in.
Thats painfull and users comlaining.
The will start storing complex passwords in txt doc to access RoyalTS Client.
Would also great from my side if there is a possible RADIUS-Auth...
We are/were considering Royal to replace Devolutions, but the lack of SAML/SSO was a show stopper. We like what we see so far, however...
Hi,
unfortunately there are a couple of technical obstacles which prevents us to implement a good SSO solution (including SAML support):
- right now, the local group membership of Secure Gateway and Royal Server users is used to determine access to the Royal Server/Secure Gateway. Even though you can put a domain group into the Royal Server's local group, it's not really possible to verify group membership from the client. We could implement a new feature which allows you to configure the Royal Server to use a certain AD Group instead of the local group to circumvent that.
- AFAIK there's no APIs for the client side which makes it easy to submit a token/ticket in a secure and verifiable way which ensures the client has the current user successfully authenticated. If someone is aware of such APIs, let us know.
- We also need to keep in mind non-windows scenarios for our macOS and mobile users. Even though one or the other scenario would be possible to implement, it would only be available on Windows.
- A couple of workflows on the Royal Server (especially modules) are doing impersonation on the server. This means a logon will be performed on the server using the submitted credentials and code will be executed in this user context. AFAIK this is not possible any other secure way where tickets or tokens are passed on to the server.
If we could get the group membership/claims done on the client we might be able to pull off SSO for Secure Gateway and/or documents but this would be a huge effort.
Sorry for not having better news on that front.
Stefan
Deworn
Hi all,
I'd like to see more authentication and authorization options for Royal Server. Not just AD and its groups. It would be great to have an option to connect it to Azure AD or to RADIUS or to be able to utilize SAML or OAuth for other identity services and use their groups and their MFA capabilities for example.
Cheers,
Deworn
10 people like this idea