Configuring Sisense for Single Sign On

You can configure Sisense to authenticate users with Single Sign On (SSO). Sisense supports the JWT Token, SAML 2.0, and the OpenID Connect protocols.

Select a protocol below to learn more about it.

The sections Logging Users Out and Setting User Attributes and Groups for All Types of SSO Connections apply to all three protocols.

Logging Users Out

When a user is logged into Sisense using SSO authentication flow, a separate Sisense session is created. Anyone using that browser can access this Sisense session. Users will remain logged in until the session ends or until the user manually logs out of Sisense.

The lifetime of the Sisense session depends on the Session Management configured in the Sisenseapplication. For SSO via JWT, if the ‘exp’ parameter is passed in the JWT token, it overrides the default Session Management in Sisensefor the user’s new session.

Note: The Sisensesession is separate from the session of the SSO provider when SSO is used in Sisenseembedding. You’ll need to revoke both sessions when the user logs out from the application that embeds Sisense.

To manually log a user out, access version 0.9 of the REST API. Through the Auth method, you can issue a GET request to log out the current user.

When the user logs out of the embedding application, you’ll also need to log the user out of Sisense. To do so, you can extend the logic of the logout action of your parent application by sending the cross-origin REST API request to Sisense. The relevant endpoint is GET API v0.9 ${Sisense_URL}/api/auth/logout. You must also do both of the following:

  1. Send a logout request with the {​'xhrFields': {​'withCredentails': true}} parameter (see here for more information).
  2. In the Sisense CORS settings, whitelist the website that initiates the logout (see here for more information).

Setting User Attributes and Groups for All Types of SSO Connections

Setting User Attributes and Groups are optional SSO configurations for JWT, SAML 2.0, and OpenID Connect. If you or your SSO provider don’t use standard configurations, it might be necessary to configure these fields to override default mappings. If you use default configurations, you don’t need to configure these fields.

User Attributes

Sisense uses standard claims (key-value pairs) to identify users. You can override these claims, if you need to. The following table describes the standard claims used by Sisense:

  First Name Last Name Email Groups
JWT firstName lastName sub groups
SAML 2.0

User.FirstName

user.firstname

User.LastName

user.lastname

User.Email

user.email

memberOf
OpenID Connect give_name family_name email groups

If you want to override these defaults, enter the names of each of the claims from your provider.

Groups

Define new user’s group attributes by selecting Use Defaults or Define by Group.

  1. Use Defaults: Every new user is assigned default roles. This is only relevant for new users and it doesn’t override existing roles or groups.
    • Default User Roles: Set the default user role. Select from Data Designer, Designer, or Viewer. You can’t assign Admin roles to new users this way. You need to create Admins as Sisense local users.
    • Default User Groups: The default group to be assigned to every new user. Search for a group in this field and select it.
  2. Define by Group: Define users based on group roles. Select this option if you have defined what group a new user should be assigned to through a Group claim. 
    • Groups Claim: The value of the Group claim as defined by your provider. For example, if your provider refers to groups as Groups, this should be the value you enter in Groups Claim.
    • Only associate users with the following group role pairs: Enable this option so that users will only be associated with groups from this list.
      1. Search for and select a group.
      2. Set the user role. Select from Data Designer, Designer, or Viewer.

      If the user object is associated with multiple groups, the one with the highest role is assigned. Click Add after each group.

Allow Creating New Users

Toggle on SSO can create new users and modify user permissions to allow your SSO configuration to create new users and modify existing user permissions, under the following conditions: