Example SSO Setups Using Identity Providers

This section explains how to configure different types of identity providers used to integrate with Sisense SSO.

Configuration Instructions for SAML

Follow these links to Sisense Community for instructions on setting up Sisense with the indicated third-party providers:

• Setting Up SSO SAML 2.0 With ADFS

• Setting Up SSO SAML 2.0 with Auth0

• Setting Up SSO SAML 2.0 With G Suite

• Setting Up SSO SAML 2.0 With Keycloak

• Setting Up SSO SAML 2.0 with Okta

• Setting Up SSO SAML 2.0 with OneLogin

• Setting Up SSO SAML 2.0 With Salesforce

Configuration Instructions for OIDC

Keycloak

Step 1 - Keycloak Configuration

To setup Sisense application integration using Keycloak:

1. Login to Keycloak using an Admin account.
2. To create a Realm, go to the Realm Settings dropdown menu (top-left corner) and click the Add realm button at the bottom of the list. Enter a name for the realm and click the Create button.
   

   Note:

   For self-contained multitenancy, each organization tenant should have a unique Realm and Client. Also, a tenant specific set of Valid Redirect URIs should be specified in the Settings tab for the Client.

3. To create a client, select the Clients configuration option from the main menu. Click the Create button at the top-right side of the clients list to open the Add Client screen. Enter the desired Client ID and for Client Protocol select the openid-connect option. The Root URL can remain blank. Click Save. This will open the new tenant to the Settings configuration tab.
   Settings:
   • Name - Copy the Client ID
   • Access Type - Change from public to confidential
   • Service Accounts Enabled - Toggle to ON
   • Root URL - The root URL for your Sisense server: https://{Sisense_server}. (For example: http://12.345.67.89:12345, or http://test.sisense.com:12345.)
   • Valid Redirect URIs:
     • For the master system tenant: /openid_callback.
     • For an organization tenant, create 2 redirect URIs which include the name of the tenant:
       • /{tenant_name}/openid_callback
       • /{tenant_name}

Step 2 - Sisense SSO Configuration

To set up the SSO Sisense configuration for Keycloak/OIDC, go to the Single Sign On configuration page, (Admin tab > Security & Access > Single Sign On). Configure the following fields, and then go to the topic SSO Using OpenID Connect for instructions on how to complete the configuration:

• Scope - The client scope you created in Keycloak as comma-separated values. For example, email. The openid tag is appended automatically behind the scenes.

• Client ID - The client ID of the relying party. (The client ID you created in Keycloak.)

• Client Secret - The secret for the client you created. The Secret is found on the Credentials tab.

• Issuer - The server identifier, typically the base URL of the Keycloak server.
  Use the following format: https://{Keycloak_server}/auth/realms/{tenantName}

• Authorization URL - The authorization URL used to make the request for a user’s identity.
  Use the following format: https://{Keycloak_server}/auth/realms/{tenantName}/protocol/openid-connect/auth

• Token URL - The URL that returns access token, ID token, and refresh token.
  Use the following format: https://{Keycloak_server}/auth/realms/{tenantName}/protocol/openid-connect/token

• User Info URL - The URL that returns information about the currently signed-in user.
  Use the following format: https://{Keycloak_server}/auth/realms/{tenantName}/protocol/openid-connect/userinfo

• Logout URL - The URL that users are returned to after they log out.
  Use the following format: https://{Keycloak_server}/auth/realms/{tenantName}/protocol/openid-connect/logout