Setting Up SSO SAML 2.0 With Keycloak
Keycloak supports applications that support SAML 2.0, such as Sisense. This page describes how to add Sisense to Keycloak and configure SSO-support with SAML 2.0 by creating a Keycloak client and connecting it to Sisense. This article assumes you have a Keycloak IdP Server configured. Note: This page reflects a 3rd party’s application which may change. If the steps described here do not match what you see in your Keycloak account, you can use the generic Sisense SAML documentation, along with the IdP’s documentation. Connecting Sisense To Keycloak To connect Sisense to Keycloak: Download sisense_client_config.json to your PC. Log in to your Keycloak's admin console (http://localhost:8080/auth/admin/) Select Clients from the left menu. Click Create. In the Add Client window click Select File. From the file explorer popup window locate the file downloaded in Step 1 and click Open. Back in the Add Client Window click Save. In the Settings tab of the opened Sisense client page expand the Fine Grain SAML Endpoint Configuration section. In the Assertion Consumer Service Redirect Binding URL filed replace "localhost:8081" with your domain name. If using secure connection, replace "http" with "https". Updated value of the Assertion Consumer Service Redirect Binding URL to match the value of the Assertion Consumer Service Redirect Binding URL (from the previous step.) Click Save. Click on the Installation tab. From the Format Option, select Mod Auth Mellon Files and click Download. Extract the downloaded keycloak-mod-auth-mellon-sp-config.zip. Open the idp-metadata.xml file from the extracted folder. Open your Sisense web application. Go to the Admin tab and click on the Single Sign On menu item. Select SAML 2.0 as the Method option. In the idp-metadata.xml file locate the following element. <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8080/auth/realms/Sisense/protocol/saml" /> <SingleSignOnService> 20. Copy the value of the Location attribute to the Remote Login URL field in Sisense. 21. In the idp-metadata.xml file locate <dsig:X509Certificate>. 22. Copy the value of the X509 certificate to the Public X.509 Certificate filed in Sisense. 23. Enable Single Sign On by clicking the switch button. 24. Click Save.Setting Up SSO SAML 2.0 with G Suite
G Suite is a package of cloud-based services that can provide your company or school with a whole new way to work together online—not just using email and chat, but over video conferences, social media, real-time document collaborations, and more. Users can use their G Suite credentials to sign in to enterprise cloud applications via Single Sign-On (SSO). An identity and access management (IAM) service provides administrators with a single place to manage all users and cloud applications. You don't have to manage individual user IDs and passwords tied to individual cloud applications for each of your users. An IAM service provides your users with a unified sign-on across all their enterprise cloud applications. This page describes how to add Sisense to G Suite and configure SSO-support with SAML 2.0. Note: This page reflects a 3rd party’s application which may change. If the steps described here do not match what you see in your G Suite account, you can use the generic Sisense SAML documentation, along with the IdP’s documentation. Connecting Sisense to G Suite Log in to your admin.google.com account with your G Suite account Select Apps on the main page Select SAML apps Step 1 Create a new application. “+” button or “ SETUP MY OWN CUSTOM APP” Step 2 Download Certificate or IDP Metadata, save SSO URL. Use notepad to open certificate or Metadata file, save lines starting from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- This information will be used for Sisense SAML configuration. Step 3 Enter Application Name - Sisense Step 4 Enter ACS URL - https://yourSisensedomain.com/api/v1/authentication/login_saml_callback/ Entity ID - Sisense Enable Signed Response, select Name ID Format Step 5 Add new mapping for User.email Click Finish. And Ok in the popup window. Enable Sisense application for All users In the Sisense SSO page add Remote Login URL - saved from the Step 2 and Certificate Click Save. Users who access any of the web pages on your Sisense server, will be redirected to Google G Suite authentication Was this article helpful?
Redirecting Login Bypass Pages to the SSO Login Page
Redirecting Login Bypass Pages to the SSO Login Page 1. Open the File Management: Navigate to `Admin -> App Configuration -> File Management`. If the "File Management" option is not available, enable it under `App Configuration -> Feature Management`. 2. Create the Plugin Folder: Open the `serverSidePlugins` folder and create a new folder with a descriptive name, such as `loginPageRedirect`. Inside this folder, create an `index.js` file with the following code: const ssoSettings = require(`${process.cwd()}/node_modules/@sisense/sisense-configuration`).sso; module.exports = { method: "GET", url: [ "/app/account/login", "/app/account" ], beginRequest: (req, res, next) => { if (ssoSettings.enabled) { const host = encodeURIComponent(req.get('host')); const { ssoType } = ssoSettings; const redirectionUrl = (ssoType === 'jwt') ? ssoSettings.loginUrl : (ssoType === 'saml') ? `/saml?address=${host}` : `/openid?return_to=${host}`; res.redirect(redirectionUrl); } else { next(); } } }; 3. Enable Server-Side Plugins: Ensure that server-side plugins are enabled in the configuration settings. Navigate to `Admin -> Server & Hardware -> System Configuration -> Configuration -> Show Advanced Settings`. Check if the "Server Side Plugins Enable" feature is enabled. 4. Save and Verify: Save the `index.js` file and verify that the server-side plugins are correctly enabled. This setup ensures that any attempt to bypass the login by using the workaround links will redirect users to the SSO login page, enhancing your security measures. Check out this related content: Academy Course Sisense DocumentationSetting Up SSO SAML 2.0 with Okta
Okta provides secure identity management and single sign-on to applications that you can add to your Okta account. From Okta, you and your users can log in to Okta and then access applications such as Sisense without having to log in to each application. Okta supports applications that support SAML 2.0, such as Sisense. This page describes how to add Sisense to Okta and configure SSO-support with SAML 2.0. Note: This page reflects a 3rd party’s application which may change. If the steps described here do not match what you see in your Okta account, you can use the generic Sisense SAML documentation, along with the IdP’s documentation. Adding Sisense to Okta To add Sisense to Okta: Log in to Okta. In the menu bar, click Applications -> Browse App Catalog. In the Search field enter Sisense and choose Sisense SAML app. Then click Add Integration. Put Sisense application URL in Base URL and press Done. Sisense is added to your Apps. After you configure SAML 2.0 for Sisense, you can click this application in Okta to launch your Sisense dashboard. Configuring SAML 2.0 for Sisense To configure SAML 2.0: Under the Applications tab, select Applications. In the Applications page, click Sisense. In the Sisense app menu bar, click the Sign On tab -> Edit. Okta’s setup instructions are expanded. Click More Details to get your SSO information which Sisense needs to configure SSO. From the Okta setup instructions, copy the Remote Login URL, Remote Logout URL, and Download Signing Certificate. In the Sisense Web Application, select Single Sign On under the Admin tab. In the Single Sign On page, activate SSO. In the Remote Login URL, Remote Logout URL, and Public X-509 Certificate fields, enter your Okta SSO details into the relevant fields described in Step 4 of this procedure. Click Save. The Okta users you assigned to the Sisense application can access Sisense through Okta without having to log in to Sisense directly.Logging Users Out Of Sisense From Your Site
Download: Post Message Introduction The following forum post explains how to log your users out of Sisense from your native application. Purpose Single sign-on (SSO) systems enable your users to authenticate themselves in your online services and then in Sisense with one authentication credential. After your users' session has ended, it is your responsibility to develop and implement the means of logging your users out of Sisense through your application. For example, if your user is logged into Sisense through an embedded iFrame on your site or application and clicks a “Log Out” link on your site, your implementation must invoke the Sisense Logout API. Note, your users' browser may prevent invoking the Sisense Logout API from your application because of CORS (Cross-Origin Resource Sharing). For more information about CORS, click here. One way you can log your users out and overcome CORS is through the Post-Message method. The window.postMessage method securely enables cross-origin communication. The Post-Message plugin attached to this post implements a listener for the windows.postMessage() method. When the windows.postMessage() method is called, it triggers a MessageEvent in the browser. The Post-Message plugin listens for this event and calls the auth/logout method of the Sisense REST API, logging your user out of Sisense. Sisense logout endpoint (GET): /api/v1/authentication/logout The postMessage() method takes two parameters: message: A object to be sent to Sisense that should contain {logout:true}, so the plugin will be triggered only with this parameter included. targetOrigin: The Sisense URL of the window that the message is being sent to including the HTTP heading and the port. For example: postMessage({logout:true},'http://localHost:8081'); Steps 1. Download the Zip file below and extract its files to \...\Sisense\PrismWeb\plugins. If you do not have this folder, create the \plugins folder and then extract the files to it. If you are using version 7.2 and higher unzip the contents into your C:\Program Files\Sisense\app\plugins\ folder. 2. Develop the functionality in your site or application that implements the Post-Message plugin to call the logout method of the Sisense REST API.SSO Java example
Make sure you have reference for each of the imported libraries mentioned in the code in the file pom.xml use this example of generating JWT and adjust it to suit your case. import java.io.UnsupportedEncodingException; import java.util.Date; import org.springframework.web.context.request.RequestContextHolder; import org.springframework.web.context.request.ServletRequestAttributes; import org.springframework.web.servlet.view.RedirectView; import javax.servlet.http.HttpServletRequest; import io.jsonwebtoken.JwtBuilder; import io.jsonwebtoken.Jwts; import io.jsonwebtoken.SignatureAlgorithm; public class SSOHandler { // must define throw exception on function when using the getBytes("UTF-8") on the shared secret key public RedirectView processRequest() throws UnsupportedEncodingException { HttpServletRequest request = ( (ServletRequestAttributes) RequestContextHolder.getRequestAttributes() ).getRequest(); String sharedSecret = "shared_secret_key"; //The JWT signature algorithm we will be using to sign the token SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.HS256; // In java secret should be in utf-8 format or the generated jwt will be invalid byte[] b = sharedSecret.getBytes("UTF-8"); long nowMillis = System.currentTimeMillis(); Date now = new Date(nowMillis); String subject = "[email protected]"; // should be supplied by the requester JwtBuilder builder = Jwts.builder() .setSubject(subject) .setIssuedAt(now) //.setAudience("sisense") .setHeaderParam("typ", "JWT") .signWith(signatureAlgorithm, b) ; String jwt = builder.compact(); String return_to = "/app/main"; // any dashboard or widget to redirect the user after authentication. ((Optional)) String redirectUrl = "http://sisense.exampleWebsite.com:8111/jwt?jwt=" + jwt;// + "&return_to=" + return_to; return new RedirectView(redirectUrl); } }Setting Up SSO SAML 2.0 with OneLogin
OneLogin is a single sign-on service where its users only have to enter one set of credentials to access their web apps in the cloud and behind the firewall, including Sisense. OneLogin’s policy-driven password security and multi-factor authentication ensure that only authorized users get access to your dashboards. This page describes how to add Sisense to OneLogin and configure SSO-support with SAML 2.0. Note: This page reflects a 3rd party’s application which may change. If the steps described here do not match what you see in your OneLogin account, you can use the generic Sisense SAML documentation, along with the IdP’s documentation. Adding Sisense to OneLogin OneLogin provides access to online applications through their centralized portal. To access Sisense from OneLogin, you need to create a OneLogin app. Your users can then authenticate through OneLogin and then be redirected to the Sisense Web Application. This procedure explains how to add Sisense to your OneLogin account and then configure Sisense SSO with your OneLogin settings. To add Sisense to your OneLogin configuration: Create a sub-domain account at https://www.onelogin.com. This account is a subdomain for your account. For example, Sisense would be www.sisense.onelogin.com. In your OneLogin sub-domain account, and select Apps > Add Apps. In the Search field, enter SAML Test Connector (IdP w/ attr w/ sign response). As you begin typing, the relevant results are displayed, make sure that you select the correct result. You can keep this name for your app, or define a new name in the Display Name field. The name you enter is the name displayed to your Onelogin SSO users. Click Save. You are redirected to your app’s Settings page. Select the Users tab. In the Users tab, verify that your users are listed. If not, select Users > All Users. Click the relevant user’s name to add the application to their account. When you click their name, the user’s settings are displayed. In the Applications page, select + > New app. Select your new app from the list and click Continue > Save. Select APPS > Company Apps. From the list, select your app. Select the SSO tab to display your SSO settings. In the SSO tab, your SSO details that you need to provide Sisense are displayed. Copy the highlighted fields into the Sisense SSO page. You can access this page in the Sisense Web Application by selecting Admin > Single Sign On > Edit > Select Saml 2.0, then enter the following information: X.509 Certificate: Click View Details to see your certificate. Copy the certificate and paste into the Public X.509 Certificate area as shown in below. SAML 2.0 Endpoint (HTTP): Copy and paste this into the Remote Login URL field in the Sisense Single Sign page. SLO Endpoint (HTTP): Copy and paste this into the Remote Logout URL field in the Sisense Single Sign page. 16. In the Sisense Single Sign page, click Save. The OneLogin users you assigned to the Sisense application can access Sisense through OneLogin without having to log in to Sisense directly. Users who access any of the web pages on your Sisense server will be redirected to OneLogin for authentication.Script to retrieve the user list with first name and last, email, and userID
By following these instructions, users can efficiently check and download a CSV file containing the list of users meeting specific criteria from the developer console in their preferred browser under the user with Admin rights.
