Example SSO Setups Using Identity Providers
This section explains how to configure different types of identity providers used to integrate with Sisense SSO.
Note:
If at any point you misconfigure the SSO session, and you are unable to login via SSO, you can use the direct login:
https://{IP_or_site_URL}/app/account/login
Or, for a tenant:
https://{IP_or_site_URL}/{tenant_name}/app/account/login
Configuration Instructions for SAML
Follow these links to Sisense Community for instructions on setting up Sisense with the indicated third-party providers:
Configuration Instructions for OIDC
Keycloak
Step 1 - Keycloak Configuration
To setup Sisense application integration using Keycloak:
- Login to Keycloak using an Admin account.
- To create a Realm, go to the Realm Settings dropdown menu (top-left corner) and click the Add realm button at the bottom of the list. Enter a
name for the realm and click the Create button.
Note:
For self-contained multitenancy, each organization tenant should have a unique Realm and Client. Also, a tenant specific set of Valid Redirect URIs should be specified in the Settings tab for the Client.
- To create a client, select the Clients configuration option from the main menu. Click the Create button at the top-right side of the clients list to open the Add Client screen. Enter the desired Client ID and for Client Protocol select the openid-connect option. The Root URL can remain blank. Click
Save. This will open the new tenant to the Settings configuration tab.
Settings:- Name - Copy the Client ID
- Access Type - Change from
public
toconfidential
- Service Accounts Enabled - Toggle to ON
- Root URL - The root URL for your Sisense server:
https://{Sisense_server}
. (For example:http://12.345.67.89:12345
, orhttp://test.sisense.com:12345
.) - Valid Redirect URIs:
- For the master system tenant:
/openid_callback
. - For an organization tenant, create 2 redirect URIs which include the name of the tenant:
/{tenant_name}/openid_callback
/{tenant_name}
- For the master system tenant:
Step 2 - Sisense SSO Configuration
To set up the SSO Sisense configuration for Keycloak/OIDC, go to the Single Sign On configuration page, (Admin tab > Security & Access > Single Sign On). Configure the following fields, and then go to the topic SSO Using OpenID Connect for instructions on how to complete the configuration:
-
Scope - The client scope you created in Keycloak as comma-separated values. For example,
email
. Theopenid
tag is appended automatically behind the scenes. -
Client ID - The client ID of the relying party. (The client ID you created in Keycloak.)
-
Client Secret - The secret for the client you created. The Secret is found on the Credentials tab.
-
Issuer - The server identifier, typically the base URL of the Keycloak server.
Use the following format:https://{Keycloak_server}/auth/realms/{tenantName}
-
Authorization URL - The authorization URL used to make the request for a user’s identity.
Use the following format:https://{Keycloak_server}/auth/realms/{tenantName}/protocol/openid-connect/auth
-
Token URL - The URL that returns access token, ID token, and refresh token.
Use the following format:https://{Keycloak_server}/auth/realms/{tenantName}/protocol/openid-connect/token
-
User Info URL - The URL that returns information about the currently signed-in user.
Use the following format:https://{Keycloak_server}/auth/realms/{tenantName}/protocol/openid-connect/userinfo
-
Logout URL - The URL that users are returned to after they log out.
Use the following format:https://{Keycloak_server}/auth/realms/{tenantName}/protocol/openid-connect/logout