Introduction to SSO

Applicable to Sisense on Linux and Microsoft Windows

For information about authenticating with Google, see Google Authentication.

Single Sign-On (SSO) is a mechanism that allows a system to authenticate users from your corporate authentication system. Sisense trusts the login request and grants access to Sisense without being prompted to enter separate login credentials.

An SSO session begins when the authenticated user requests a secured resource from Sisense while logged into your site or application. The user’s browser sends an HTTP request to Sisense that includes a cookie which contains session and authentication information. This information is then used for session validation.

Users who already have Sisense accounts can continue to access Sisense through the Sisense Login page with their current accounts. To prevent users from directly logging in to Sisense instead of your login page, your Sisense Administrator can change the passwords of your current users forcing them to log in with your company’s credentials in your company’s login page.

Sisense recommends that administrators always keep a Sisense password, so that the administrator can access Sisense in case the SSO server isn't available.

Sisense SSO supports three SSO protocols for securing the exchange of user authentication data , SSO via JWT, SSO via SAML 2.0 (Security Assertion Markup Language), and OpenID Connect.

Accessing Sisense after SSO is Deployed

When accessing Sisense directly from the Login page, you enter your username and password, or click the link at the bottom and log in through your SSO provider.

For Administrators, if your SSO server is down or you switched providers, you can log in to Sisense through a backdoor:

  1. Log out of Sisense and return to the Login page.
  2. Click Reset Password.
  3. Enter the email address of your Administrator account. This only works for Sisense Administrators. You'll receive an email to the address you entered with a link to log into Sisense. From this link you can access Sisense without going through the SSO authentication flow. Other users can't bypass the SSO authentication flow.

Retrieving a Password

On the Login page, users can reset their password through the Forgot Password link. Users who are accessing Sisense through SSO and forgot their password, can't reset their password through the Forgot Password link unless the Administrator defined a local password for them.

Limiting who Receives a Sisense User

When your user authenticates via SSO and then enters Sisense for the first time, a Sisense user is generated and associated with that user. Each user who logs in this way is counted as one of your Sisense users per your Sisense license.

To prevent SSO users who don't already have a Sisense user from logging in via SSO and creating a Sisense user, you can disable the default functionality. In the Admin page, under Single Sign On, toggle the Allow Creation of New Users via SSO switch to disabled.

When Allow Creation of New Users via SSO is disabled, SSO users who don't have a Sisense user account already, can't log in via SSO.

Sharing dashboards with users outside of your current list of Sisense users isn't possible. If you try to share a dashboard with a user not associated with a Sisense account, the message "There are no users or groups matching your criteria" is displayed.

When disabled, Sisense also prevents Active Directory users who don't have a Sisense user account from accessing Sisense when Allow Creation of New Users via SSO is disabled.

Administrator Backdoor

If you need to bypass the SSO authentication process for any reason, follow the steps below to log in to Sisense:

  1. Log out of Sisense to display the Login page.
  2. Click Reset Password.
  3. Enter the email address of your Administrator account. This only works for Sisense Administrators, other users can't bypass the SSO authentication flow. You'll receive an email to the email address you entered with a link to log into Sisense. From this link you can access Sisense without going through the SSO authentication flow.