SSO via SAML 2.0
The Sisense SAML authentication process is based on the SAML 2.0 protocol, and is explained in the following diagrams:
The first phase of this process begins when a user requests a resource from Sisense via their browser (1). The browser generates a resource request to the Sisense server. The server processes this request (2), and for unauthenticated users, returns a special save-hash page to save the requested hash data.
After the browser loads the save-hash page from the Sisense server, it runs a script, which loads the requested resource hash from the URL and sends it to the Sisense Server (3).
At the end of this phase, the Sisense Server converts the requested resource URL and sends it to the browser as a part of the redirect to IdP Server command (4).
The second phase of the authentication process starts after the browser retrieves the redirect command from the Sisense Server, and sends the authentication request to the IdP Server (1) as described in the diagram below.
The base URL for this request is taken from the Remote Login URL field in the Single Sign On section of the Admin page in the Sisense Web Application.
The requested resource address is passed to this request as a RelayState parameter. All other data is provided as a SAMLRequest parameter.
The next step of this phase depends on the user authentication state and the IdP implementation.
If the current user isn’t logged in as an IdP user, the IdP server redirects the browser to your Login page (2), where the user enters their IdP credentials. After logging in, the IdP Server sends the browser the Auto-Sign-In page with encoded data about the currently logged-in user (4).Note: Two-factor authentication for Sisense is supported for SSO providers that support two-factor authentication.
After this document is loaded in the user’s browser, it runs a script which creates the POST-query to the Sisense Server API, and passes the SAML response to this query (1). At this time, the third phase of the authentication process begins.
The Sisense Server handles the POST-query (2), decrypts it with the certificate specified in the Public X.509 Certificate field defined in the Single Sign On section of the Admin page. The Sisense Server uses the decrypted User ID as a key to locate the Sisense user in the internal database.
If a user is not found in the system, Sisense creates a new user (3).
Associating SSO Users with Sisense Groups
When Sisense creates a new user, Sisense analyzes the “memberOf” field to locate one or more groups related to the logged-in user.
If the “memberOf” field is empty, the user is assigned the role: “Viewer”. If the “memberOf” field contains one or more groups, and the groups were previously defined in Sisense, the newly created users’ Role is taken from the groups’ default role. When multiple Sisense Groups are found, the user is assigned the role with the maximum privileges.
Note: Sisense limits the default role that can be assigned to Designer or Viewer. No higher default group roles can be assigned.
After a user is created in the system, an administrator can modify the user role, if needed.
Below, is an example of an SAML XML where the “Test” group is specified:
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic Name="memberOf"> <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string"> Test </saml:AttributeValue> </saml:Attribute>
After the user is located or created, a new session is initialized, and the Sisense Server redirects the user browser to the requested resource (4).
Enabling SSO via SAML in Sisense
After you have configured your SAML server, sign in to Sisense as an Administrator and follow the instructions below.
To enable SAML in Sisense:
- In the Sisense Web Application, click Admin and select Single Sign On.
- In the Single Sign On page, select SAML 2.0.
- In the Remote Login URL field, enter the SAML Login endpoint. Sisense redirects the user to this field when they sign in. This value should be provided by the IdP Service.
- In the Remote Logout URL field, enter the SAML Logout endpoint. Sisense redirects the user to this field when they sign out. This value should be provided by the IdP Service.
- In the Public X.509 Certificate field, enter your public key for your SAML configuration. This value should be provided by the IdP Service.
- Click Save. SSO via SAML 2.0 is configured.
Sisense Default Role Set-Up
When an authenticated user is not found in the Sisense database, a new account is created. The user role is specified based on the user group/groups default role.
To define a group’s role:
- In the Sisense Web Application, click Admin and select Groups.
- Click Add Group. The Create a New Group window is displayed.
- In the Create a New Group window, select the default role of the group.
- Click Save.
Note: Changes to the group’s default role are applied when new users are created, and do not affect existing users. After a user is created in the system, an administrator can modify the user role, if needed.
For instructions on setting up Sisense with some 3rd-party providers, see:
- Setting Up SSO SAML 2.0 with Okta
- Setting Up SSO SAML 2.0 with OneLogin
- Setting Up SSO SAML 2.0 with Auth0
- Setting Up SSO SAML 2.0 With Salesforce
- Setting Up SSO SAML 2.0 With ADFS
- Setting Up SSO SAML 2.0 With G Suite