Sisense Single Sign-On (SSO) is a mechanism that allows a system to authenticate users in Sisense and subsequently tell Sisense that the user has been authenticated.
The user is then allowed to access Sisense without being prompted to enter separate login credentials.
The SSO security mechanism allows Sisense to trust the login requests it gets from your corporate authentication system, and will grant access to the users that have been authenticated by it.
Sisense SSO relies on a protocol called JSON Web Token (JWT) for securing the exchange of user authentication data.
Configuring SSO
To access the SSO configuration, click MANAGE in the upper right corner and choose the SINGLE SIGN ON tab on the left.
Fill in the SSO configuration fields and click SAVE:
- Remote Login URL : This is the URL that Sisense will invoke to attempt remote authentication. In that endpoint the participating application user authentication script is triggered and the JWT payload is generated.
- Remote Logout URL: This is the URL that users will be redirected to after they log out from Sisense (i.e. the participating application’s home page).
- Shared Secret: The JWT encryption public key used to encrypt the JWT payload. It is generated once when the SSO configuration is saved.
Implementing SSO Integration
The participant application in the SSO flow is required to implement the user request session authentication by following a specific flow:
- Set the appropriate SSO settings.
- Implement the authentication API JWT signature by applying a specific JWT protocol, as described below.
Attribute: iat
Mandatory: Yes
Description: Issued at the time the token was generated. This is used to help ensure that a given token gets used shortly after it is generated. The value must be the number of seconds since UNIX epoch. Sisense allows up to 5 minutes clock skew.
Attribute: sub
Mandatory: Yes
Description: Email of the user being signed in, used to uniquely identify the user in Sisense. If the user does not exist in Sisense, it will be created with default consumer privileges.
Attribute: exp
Mandatory: No
Description: Expiration time of the token. After that time the token would be invalid, and the user will be redirected again to the remote login URL for re-authentication. If not present, the token will expire in 1 week. The value must be the number of seconds since UNIX epoch.
Attribute: aud
Mandatory: No
Description: Intended audience for this token. The value can be a collection of strings or a single string. If present, it must contain the string “sisense” (lowercase).
SSO Code Samples
Configure Sisense as a Sub-Domain with SSO
Integrate Sisense as a sub-domain of your web application and embed Sisense into your web application with SSO.
Note: Sisense also works when embedded in cross-domain IFrames.
Instructions
- Add your website to IIS entitled example_website.com
- In the site bindings enter the host name as example_website.com on port 80:
- Change the existing SisenseWeb site binding to use sisense.example_website.com as host name on port 80:
- Open the file C:\Windows\System32\drivers\etc\hosts and add mapping for the sites:
192.168.5.148 sisense.example_website.com
192.168.5.148 example_website.com
- Sign in to your Sisense application at sisense.example_website.com and configure the SSO as pictured below:
- Place the following SSO script in the server location corresponding to the Remote Login URL in the server’s root directory. Please note that the SSO script can be implemented in any server-side language. This example uses Python. Example code has been attached for C#, PHP, and Python.
- In index.html from example_website.com, the IFrame source is the Sisense dashboard URL.
index.html from example_website.com:
<html> <head> <title>Example Website</title> </head> <body> <p><b>example_website.com</b> - <b>SSO</b> login with embedded dashboard from <b>sisense.example_website.com</b></p> <iframe width="100%" height="100%" src='http://sisense.example_website.com/app/main#/dashboards/53b29843751b655443000018?embed=true' /> </body> </html>
- Navigate to example_website.com and you should see the specific dashboard you embedded.