Sisense Single Sign-On (SSO) is a mechanism that allows a system to authenticate Sisense users and subsequently tell Sisense that the user has been authenticated.
The user is then allowed to access Sisense without being prompted to enter separate login credentials.
The SSO security mechanism allows Sisense to trust the login requests it gets from your corporate authentication system, and will grant access to the users that have been authenticated by it.
Sisense SSO relies on a protocol called JSON Web Token (JWT) for securing the exchange of user authentication data. In addition, we recommend using the jti parameter (see below), which adds a unique ID to the token that prevents the token from being used more than once, thus preventing attacks on the system (also known as replay attacks).
Note: SSO configuration is not identical across environments, and should be set up according to your unique environment requirements, preferably by an administrator or developer with SSO experience.
Configuring SSO in Sisense
To access the SSO configuration settings, click ADMIN in the upper right corner and choose the SINGLE SIGN ON tab on the left.
Fill in the SSO configuration fields and click SAVE:
- Remote Login URL: This is the URL that Sisense will invoke to attempt remote authentication. In that endpoint the participating application user authentication script is triggered and the JWT payload is generated.
- Remote Logout URL: This is the URL that users will be redirected to after they log out from Sisense (i.e. the participating application’s home page).
- Shared Secret: The JWT encryption public key used to encrypt the JWT payload. It is generated once when the SSO configuration is saved.
Implementing SSO Integration
The participant application in the SSO flow is required to implement the user request session authentication by following a specific flow:
- Set the appropriate SSO settings.
- Implement the authentication API JWT signature by applying a specific JWT protocol, as described below.
Issued at the time the token was generated. This is used to help ensure that a given token gets used shortly after it is generated. The value must be the number of seconds since UNIX epoch. Sisense allows up to five minutes clock skew.
Note: The date must be an integer and not a float.
|Yes||Email of the user being signed in, used to uniquely identify the user in Sisense. If the user does not exist in Sisense, it will be created with default viewer privileges.|
|jti||Yes||A unique string added to the token that is used to prevent replay attacks, by making sure the token is used only once.|
|exp||No||Expiration time of the token. After that time the token becomes invalid, and the user will be redirected again to the remote login URL for re-authentication. If not present, the token will expire within one week. The value must be the number of seconds since UNIX epoch.|
SSO Code Samples
Configuring Sisense as a Sub-Domain with SSO
Integrate Sisense as a sub-domain of your web application and embed Sisense into your web application with SSO.
Sisense also works when embedded in cross-domain IFrames.
To configure Sisense as a Sub-Domain with SSO:
- Add your website to IIS entitled example_website.com
- In the Site bindings enter the host name as example_website.com on port 80:
- Change the existing SisenseWeb site binding to use sisense.example_website.com as host name on port 80:
- Open the file C:\Windows\System32\drivers\etc\hosts and add mapping for the sites:
- Sign in to your Sisense application at sisense.example_website.com and configure the SSO as pictured below:
Place the following SSO script in the server location corresponding to the Remote Login URL in the server’s root directory. Please note that the SSO script can be implemented in any server-side language. The following example uses Python. Click here to download example code for C#, PHP, and Python.
- In index.html from example_website.com, the IFrame source is the Sisense dashboard URL.
<html> <head> <title>Example Website</title> </head> <body> <p><b>example_website.com</b> - <b>SSO</b> login with embedded dashboard from <b>sisense.example_website.com</b></p> <iframe width="100%" height="100%" src='http://sisense.example_website.com/app/main#/dashboards/53b29843751b655443000018?embed=true' /> </body> </html>
Navigate to example_website.com and you should see the specific dashboard you embedded.