Introduction to SSO

Applicable to Sisense on Microsoft Windows

If you want to learn about SSO in Linux, see Introduction to SSO.

Single Sign-On (SSO) is a mechanism that allows a system to authenticate users and subsequently tell Sisense that the user has been authenticated. The user is then allowed to access Sisense without being prompted to enter separate login credentials.

The SSO security mechanism allows Sisense to trust the login requests it gets from your corporate authentication system, and grant access to the users that have been authenticated by it. An SSO session begins when the authenticated user requests a secured resource from Sisense while logged into your site or application. The user’s browser sends an HTTP request to Sisense that includes a cookie which contains session and authentication information. This information is then used for session validation.

Users who already have Sisense accounts can continue to access Sisense through the Sisense Login page with their current accounts. To prevent users from directly logging in to Sisense instead of your login page, your Sisense administrator can change the passwords of your current users forcing them to log in with your company’s credentials in your company’s login page.

Sisense recommends that administrators always keep a Sisense password, so that the administrator can access Sisense in case the SSO server is not available.

Sisense SSO supports three SSO protocols for securing the exchange of user authentication data , SSO via JWT, SSO via SAML 2.0, and OpenID Connect.

Accessing Sisense after SSO is Deployed

When accessing Sisense directly from the Login page, you can log in through Sisense by entering your username and password, or by clicking the link at the bottom and logging in through your SSO provider.

For Administrators, in cases where your SSO server is down or you have switched providers, you can log in to Sisense through a backdoor:

  1. Log out of Sisense return to the Login page.
  2. Click Reset Password.
  3. Enter the email address of your Administrator account. This only works for Sisense Administrators, other users cannot bypass the SSO authentication flow. You will receive an email to the email address you entered with a link to log into Sisense. From this link you can access Sisense without going through the SSO authentication flow.

Retrieving a Password

On the Login page, users can reset their password through the Forgot Password link. Users who are accessing Sisense through SSO and forgot their password, cannot reset their password through the Forgot Password link unless you have defined a local password for them.

Limiting who Receives a Sisense User

When your user authenticates via SSO and then enters Sisense for the first time, a Sisense user is generated and associated with that user. Each user accounts for one of your Sisense users included your Sisense license.

If you want to prevent SSO users who do not already have a Sisense user from logging in via SSO and creating a Sisense user, you can disable the default functionality. In the Admin page, under Single Sign On, toggle the Allow Creation of New Users via SSO switch to disabled.

When Allow Creation of New Users via SSO is disabled, SSO users who do not have a Sisense user account already, cannot log in via SSO.

In addition, sharing dashboards with users outside of your current list of Sisense users is not possible. If you try to share a dashboard with a user not associated with a Sisense account, the message "There are no users or groups matching your criteria" is displayed.

When disabled, Sisense also prevents Active Directory users that do not have a Sisense user account from accessing Sisense when Allow Creation of New Users via SSO is disabled.