Hi everyone, thank you for your time.
Is it possible to configure SSO into a DS hosting the SSP? If so, how? Right now it is challenging for credentials, which is alright, but in the context of distributing tokens for enrollment, this is a bit non-user friendly.
Specifically, we'd only want SSO if coming from our internal network (adding to the challenge - perhaps WS1 Access can help here?).
you are right, WS1 Access would help you in this case. You need to enable SAML under Settings > System > Enterprise Integration > Directory Services and then allow authentication against the SSP using SAML:
Enable SAML Authentication For