Windows Single Sign On
Patriot supports integration with Microsoft Active Directory logins, allowing operators to sign in to the Patriot client application automatically.
Microsoft Entra Single Sign On is recommended for new single sign on deployments. Entra supports SSO for ICA as well as Desktop, and can be used alongside built-in operator logins.
Microsoft Windows Active Directory
Patriot supports integration with Microsoft Windows Active Directory (hereafter referred to as AD) that allows an automatic sign on to the Patriot client program using the operator's Windows user credentials. Program access and rights (see below) can be controlled within AD, thus making it easier to manage security access across an organisation. Security Groups are setup in AD for the various Patriot access levels required. These are then assigned to each operator's user in AD so that control of access is performed within AD rather than within Patriot.
Security Groups are setup in AD for the various Patriot access levels required. These are then assigned to each operator's user in AD. Thus control of access is performed within AD and not within Patriot. The specific rights that each group has is still configured within Patriot itself.
A system setting dictates if Single Sign On is enabled or not. Patriot will only support its own internal security model or single sign on, not both at the same time. So once single sign on is enabled, internal Patriot operators will no longer have access to the program.
Client Single Sign On Setup
Security Groups
One way to setup the security groups is to set them up in Patriot first. Note that the name of the Security Group is important and will be used to setup groups in AD also. As group names are unique in AD, you must use names that are not already used. It's suggested you prefix the name Patriot in front of all group names to ensure uniqueness. Setup the groups, and also configure the access rights for each group as required. You may use the existing Patriot security groups, or create new ones, as long as the name is not already in use in AD. Instructions for setting up Patriot groups are here.
Next create an Organisational Unit in AD to contain all the Patriot Security groups you require. This organisational unit should be reserved for Patriot use only, and must be named 'Patriot'.
Then create groups in this organisational unit for each Patriot security group. The name of the group in Patriot must match the name of the AD group exactly. If an AD group is used which doesn't exist in Patriot, it will be created in Patriot with no access rights.
Another approach is to set-up all the security groups you need in AD within the 'Patriot' Organisational Unit first and make a patriot administrator a member of all these groups. You will need to have at least one matching administrator group already set-up in Patriot with full rights (to allow full access to the administrator when they login for the first time). When the AD Patriot administrator subsequently logs into patriot all additional Patriot groups already set-up in AD will be automatically created within Patriot but by default will have no permissions - the patriot administrator can then proceed to grant permissions to the groups as desired.
Configure Windows Users
Next, assign one of the groups within the Patriot organisational unit to each person who requires access rights to the Patriot client application.
Access to Patriot can easily be removed by ensuring the user is not assigned to any of these groups.
Enable Single Sign On
Ensure you have at least one Patriot administrator account setup in Patriot. Once single sign on is enabled, the only way to login to Patriot is using a correctly configured AD user, or a Patriot administrator account. Any existing non Patriot administrator operators will not be allowed access.
Login to Patriot using one of the existing standard Patriot operators. Then go into System > System Settings > System Wide Settings > Security. Enable active directory single sign on.
When an operator starts the Patriot client, an attempt to auto login using single sign on will be performed. If the windows user is valid, the AD groups (within the Patriot organisational unit) assigned to this user will be synchronised with the Patriot security groups, then the operator will be given the appropriate access. If the auto login process fails, the standard Patriot login window will be displayed.
Login
The Patriot login screen will not appear when the system setting for Single Sign On has been enabled. When an AD User launches Patriot for the first time, a Patriot Operator record will be automatically added to Patriot. This operators name, password, operator groups inside Patriot won't be able to be edited from within Patriot, as these details will be maintained within AD. Deleting this operator won't stop the operator from gaining access, this must also be performed from AD.
To display the Login window and allow the connection settings to be configured, a /NOSSO
command line switch may be added to the Patriot client shortcut.
If you wish to remove a security group, delete the group from AD, not just from Patriot, otherwise the group will be recreated in Patriot the next time an AD user logs in with that group assigned.