SSO Using SAML 2.0

This page explains how to configure the settings for the Security Assertion Markup Language (SAML) authentication protocol.

To set the SSO options, go to the Single Sign On configuration page, (Admin tab > Security & Access > Single Sign On), and toggle on the Single Sign On Configuration option at the top of the page.

Sisense supports the following certified SSO SAML identity providers:

• ADFS
• Auth0
• G Suite
• Keycloak
• Okta
• OneLogin
• PingId
• Salesforce

See Example SSO Setups Using Identity Providers for instructions on how to set up SSO for most of these identity providers.

See Troubleshooting SSO Using SAML for detailed troubleshooting information.

Enabling and Configuring

General Section

The following options are configured in the General section of the Single Sign On page:

• SSO can create new users and modify user permissions - The exact effect of this toggle depends on which option you select for Set Roles from Groups, (which is in the Groups section, see Groups Section, below):

  • When Use Defaults is selected:

    • Activating this toggle enables the creation of new Sisense users.
    • Deactivating this toggle prevents new users from logging in to Sisense.

  • When Define by Groups is selected:

    • Activating this toggle enables the creation of new Sisense users.
    • Deactivating this toggle enables existing users to log in to Sisense, but Sisense permissions remain unchanged. New users are prevented from logging in to Sisense.

• Method - Select the SAML 2.0 radio button.

• Remote Login URL - Enter the URL that Sisense should invoke to attempt remote authentication.
• Remote Logout URL - Enter the URL that Sisense should return users to after they log out.
• Public X.509 Certificate - Certificate from the identity provider that is used to ensure that you are authorized to enter Sisense.

User Attributes

The following fields are configured in the User Attributes section of the Single Sign On page:

• Email Claim (optional) - The name of the attribute in the token, (that was used in the handler's coding) that identifies the user's login or email.

• First Name Claim (optional) - The name of the attribute in the token, (that was used in the handler's coding) that identifies the user's first name.

• Last Name Claim (optional) - The name of the attribute in the token, (that was used in the handler's coding) that identifies the user's last name.

To override these defaults, enter the names of each of the claims from your identity protocol.

Groups Section

The options in the Groups section are different depending on which Set Roles from Groups option you select, Use Defaults, or Define by Group.

Use Defaults

If you select the Use Defaults option for Set Roles from Groups, each new user is assigned a default role according to the selection you make from one of following fields:

• Default User Roles - From the dropdown menu, select the default user role. Each new user is assigned to the selected default role. You cannot assign Admin roles to new users using this method.

• Default User Groups - Search for a group in this field and select it. Each new user is assigned to the selected default group.

Define by Group

Select the option Define by Group for Set Roles from Groups if you have defined a Group Claim for every new user. Every new user is assigned default roles according to your selections:

• Groups Claim (optional) - The value of the Group claim as defined by your identity protocol. For example, if your provider refers to groups as Groups, this is the value you enter in Groups Claim. The user is assigned roles according to the Groups Claim.

• Only associate users with the following group-role pairs - Enable this option so that users are only associated with groups selected from this list. If the user is associated with multiple groups, the one with the highest role is assigned.
  To create a group to role pairing, select a group (by search), select the user role (from drop-down list), and then click Add.