Application SSO Configuration Guidelines

  • 7023722
  • 15-Feb-2019
  • 15-Feb-2019


Privileged Account Manager 3.5


Application SSO (AppSSO) isn't working, fails, doesn't get authorized.
General guidelines for configuring ApppSSO properly.
A collection of common pitfalls found in AppSSO configuration.


Please review the following guidelines to achieve proper AppSSO Configuration:
  • Carefully review and verify the install prerequisites have been completed:
    See Setting Up Application SSO from the Installation Guide.

  • If the authorizing cmdctrl rule is nested within other rules, please ensure that each and every rule in the nested hierarchy has Application SSO set to Yes. Otherwise, consider moving to the root or top-level of the hierarchy for troubleshooting purposes.
    See TID 7023299 - Application SSO is not authorized when cmdctrl rule is placed as a child in hierarchy.

  • Secondary Authentication (2FA) should not be enabled on an AppSSO cmdctrl rule, but can be achieved by setting on the authorizing Direct-RDP rule.
    See TID 7023721 - Application SSO fails when Secondary Authentication is enabled in the Rule.

  • The cmdctrl command (i.e. Application Authorization command applied to the Run as privileged user rule condition) should contain the absolute path to the application, which may includes double-quotes depending if there are spaces. For clarification, please check the Reporting Console or the unifid.log for 'cmdctrl request', which will display the exact command coming into cmdctrl.

  • If Use Host from Policy has been selected in the AppSSO Account Domain from the Credential Vault, then be sure to include both the port as well as the ip/host in the Application Host field of the cmdctrl rule if required by the client application.

  • (Direct Access Mode) The AppSSO rule should have the Run User set as Everyone and the Run Hosts set as All Hosts.
    See Adding an Application SSO Rule from the Administration Guide.