Example SSO Setups Using Identity Providers

This section explains how to configure different types of identity providers used to integrate with Sisense SSO.

Note:

If at any point you misconfigure the SSO session, and you are unable to login via SSO, you can use the direct login:
https://{IP_or_site_URL}/app/account/login

Or, for a tenant:
https://{IP_or_site_URL}/{tenant_name}/app/account/login

Configuration Instructions for SAML

Follow these links to Sisense Community for instructions on setting up Sisense with the indicated third-party providers:

Configuration Instructions for OIDC

Keycloak

Step 1 - Keycloak Configuration

To setup Sisense application integration using Keycloak:

  1. Login to Keycloak using an Admin account.
  2. To create a Realm, go to the Realm Settings dropdown menu (top-left corner) and click the Add realm button at the bottom of the list. Enter a name for the realm and click the Create button.

    Note:

    For self-contained multitenancy, each organization tenant should have a unique Realm and Client. Also, a tenant specific set of Valid Redirect URIs should be specified in the Settings tab for the Client.

  3. To create a client, select the Clients configuration option from the main menu. Click the Create button at the top-right side of the clients list to open the Add Client screen. Enter the desired Client ID and for Client Protocol select the openid-connect option. The Root URL can remain blank. Click Save. This will open the new tenant to the Settings configuration tab.
    Settings:
    • Name - Copy the Client ID
    • Access Type - Change from public to confidential
    • Service Accounts Enabled - Toggle to ON
    • Root URL - The root URL for your Sisense server: https://{Sisense_server}. (For example: http://12.345.67.89:12345, or http://test.sisense.com:12345.)
    • Valid Redirect URIs:
      • For the master system tenant: /openid_callback.
      • For an organization tenant, create 2 redirect URIs which include the name of the tenant:
        • /{tenant_name}/openid_callback
        • /{tenant_name}

Step 2 - Sisense SSO Configuration

To set up the SSO Sisense configuration for Keycloak/OIDC, go to the Single Sign On configuration page, (Admin tab > Security & Access > Single Sign On). Configure the following fields, and then go to the topic SSO Using OpenID Connect for instructions on how to complete the configuration:

  • Scope - The client scope you created in Keycloak as comma-separated values. For example, email. The openid tag is appended automatically behind the scenes.

  • Client ID - The client ID of the relying party. (The client ID you created in Keycloak.)

  • Client Secret - The secret for the client you created. The Secret is found on the Credentials tab.

  • Issuer - The server identifier, typically the base URL of the Keycloak server.
    Use the following format: https://{Keycloak_server}/auth/realms/{tenantName}

  • Authorization URL - The authorization URL used to make the request for a user’s identity.
    Use the following format: https://{Keycloak_server}/auth/realms/{tenantName}/protocol/openid-connect/auth

  • Token URL - The URL that returns access token, ID token, and refresh token.
    Use the following format: https://{Keycloak_server}/auth/realms/{tenantName}/protocol/openid-connect/token

  • User Info URL - The URL that returns information about the currently signed-in user.
    Use the following format: https://{Keycloak_server}/auth/realms/{tenantName}/protocol/openid-connect/userinfo

  • Logout URL - The URL that users are returned to after they log out.
    Use the following format: https://{Keycloak_server}/auth/realms/{tenantName}/protocol/openid-connect/logout