SSO Using OpenID Connect

This page explains how to configure the settings for the OpenID Connect (OIDC) authentication protocol.

These are some of the certified SSO OIDC identity providers that Sisense supports:

OneLogin
G Suite
Keycloak - See Example SSO Setups Using Identity Providers for setup instructions

Note:

If at any point you misconfigure the SSO session, and you are unable to login via SSO, you can use the direct login:
https://{IP_or_site_URL}/app/account/login

Or, for a tenant:
https://{IP_or_site_URL}/{tenant_name}/app/account/login

See Troubleshooting SSO Using OpenID Connect for detailed troubleshooting information.

SSO for Multitenancy

The Tenant Admin of each tenant is responsible for managing the tenant SSO configuration. This can only be done when logged directly into the tenant itself, (that is, https://<Sisense_hostname>/<tenant>/). For more information about how to manage self-contained tenants, see Managing Self-contained Tenants.

The identity provider admin must make sure to set up separate configurations for each tenant:

Keycloak - Each tenant should have a unique Realm and Client. A set of Valid Redirect URIs should be specified in the Settings tab for the Client.
OKTA - Each tenant should have a dedicated Application with the required Sign-in redirect URIs defined in the Login section.

Not assigning a redirection directly to the organization tenant will result in opening the default system tenant, (which does not require a tenant name in the URL). While it is possible to redirect URIs using '*' for development and testing purposes, in a production environment this may pose a security risk.

Enabling and Configuring

To set the SSO options, go to the Single Sign On configuration page, (Admin tab > Security & Access > Single Sign On), and toggle on the Single Sign On Configuration option at the top of the page.

General Section

The following options are configured in the General section of the Single Sign On page:

SSO can create new users and modify user permissions - The exact effect of this toggle depends on which option you select for Set Roles from Groups, (which is in the Groups section, see Groups Section, below):
- When Use Defaults is selected:
  - Activating this toggle enables the creation of new Sisense users.
  - Deactivating this toggle prevents new users from logging in to Sisense.
- When Define by Groups is selected:
  - Activating this toggle enables the creation of new Sisense users.
  - Deactivating this toggle enables existing users to log in to Sisense, but Sisense permissions remain unchanged. New users are prevented from logging in to Sisense.
Method - Select the OpenID Connect radio button.
Scope - Enter the scope value defined in the identity provider SSO setup for the Sisense site.
Client ID - Enter the client ID defined in the identity provider SSO setup for the Sisense site.
Client Secret - Enter the Client Secret defined in the identity provider SSO setup for the Sisense site.
Issuer - Enter the issuer value defined in the identity provider SSO setup for the Sisense site.
Authentication URL - Enter the authentication URL defined in the identity provider SSO setup for the Sisense site. This is the URL to the login page of your identity provider where Sisense redirects the user when they try to access a dashboard.
Token URL - Enter the token URL defined in the identity provider SSO setup for the Sisense site. This is the URL that returns access tokens, ID tokens, and refresh tokens.
User Info URL - Enter the user info URL defined in the identity provider SSO setup for the Sisense site. This is the URL that returns information about the currently signed-in user.
Logout URL - Enter the logout URL defined in the identity provider SSO setup for the Sisense site. This is the URL users are redirected to when they log out of Sisense.

User Attributes

The following fields are configured in the User Attributes section of the Single Sign On page:

Email Claim (optional) - The name of the attribute in the token, (that was used in the handler's coding) that identifies the user's login or email.
First Name Claim (optional) - The name of the attribute in the token, (that was used in the handler's coding) that identifies the user's first name.
Last Name Claim (optional) - The name of the attribute in the token, (that was used in the handler's coding) that identifies the user's last name.

To override these defaults, enter the names of each of the claims from your identity protocol.

Groups Section

The options in the Groups section are different depending on which Set Roles from Groups option you select, Use Defaults, or Define by Group.

Use Defaults

If you select the Use Defaults option for Set Roles from Groups, each new user is assigned a default role according to the selection you make from one of following fields:

Default User Roles - From the dropdown menu, select the default user role. Each new user is assigned to the selected default role. You cannot assign Admin roles to new users using this method.
Default User Groups - Search for a group in this field and select it. Each new user is assigned to the selected default group.

Define by Group

Select the option Define by Group for Set Roles from Groups if you have defined a Group Claim for every new user. Every new user is assigned default roles according to your selections:

Groups Claim (optional) - The value of the Group claim as defined by your identity protocol. For example, if your provider refers to groups as Groups, this is the value you enter in Groups Claim. The user is assigned roles according to the Groups Claim.
Only associate users with the following group-role pairs - Enable this option so that users are only associated with groups selected from this list. If the user is associated with multiple groups, the one with the highest role is assigned.
To create a group to role pairing, select a group (by search), select the user role (from drop-down list), and then click Add.