Wrong SSO User with Cloud Sisense & Iframed Dashboards

marklockhart · ‎06-14-2024

I am trying to find the best solution for a problem at a new job.

We use Sisense Cloud (linux) and use iframes to display dashboards from it on a Wordpress site.

Sisense is under one subdomain on our main domain, Wordpress on another.

Our PCs are shared in the field and we use an SSO through Entra for login to both Sisense and Wordpress.

Scenario:

A user logs in to Wordpress but another user was left logged into Sisense and not explicitly logged out through the Sisense logout link.

They log into WP using the SSO.

They are redirected to a page with iframed Sisense dashboards but will see them in the context of the last user to use Sisense directly. They will not see their own data unless they go to Sisense and log in there through the SSO or use the login bypass on Sisense directly.

Sisense is not informed of the new SSO login when it happens from the WP site. This makes it so in many situations the users afield are not seeing their data on the dashboards after logging into WP and have to visit Sisense directly to correct this. This leads to a lot of churn.

Following this article led me to add a popup window to the SSO with redirect back to Sisense. This works but is terrible UX. Entra SSO will not allow its login to be framed so I used a popup instead.

SisenseJS silent login approach | Sisense

I've tried using the Sisense API from WP but no luck there. Probably because they are not on the same subdomain and thus cannot touch each other's cookies. Domain is null on the cookie data from a call to the Sessions endpoint.

Being in the cloud limits options since I cannot customize the server.

Thanks and sorry for the long read!

Mark

marklockhart · ‎06-18-2024

Tried putting https://results.allianceatt.com/api/auth/logout as the SAML Logout Response URL and it works!

SSO logout from our website and from Sisense now kill each other's sessions too

Downside is when you log out from Sisense directly it shows you the JSON response from /logout.

Still seeking a better URL that works better, but this is a huge improvement and completes the Single Log Out flow of SSO

View solution in original post

DRay · ‎06-17-2024

Hi @marklockhart,

Thank you for your question.

I would like to have our support team work with you on this. They may be able to find a way to integrate your systems, and if they don't they can bring in a technical resource to work with you directly.

Are you able to open a support ticket?

David Raynor (DRay)

marklockhart · ‎06-17-2024

Hi @DRay

I do have a support ticket open now for this too.

Further investigation indicates this is due to incomplete SSO setup in our Entra IdP

The single log out URLs for the apps were not set, breaking their ability to log out other apps when a user clicked log out on them

Now I just can't figure out what that single log out (Logout Response) URL should be for our Sisense's SAML SSO

DRay · ‎06-17-2024

Hi @marklockhart.

Thank you for the update. Hopefully Support is able to help you with that. This document may help in the meantime. https://docs.sisense.com/win/SisenseWin/configuring-sisense-for-sso.htm#Logging-Users-Out