On-Premise Single Sign-On
The content in this article applies to On-premise instances only.
Starting October 19, 2022, you can connect your corporate identity
provider to using the Platform's Identity service. Once connected,
Platform will act as an identity broker between your IdP (Identity
Provider) and , allowing your users to securely access all products and
the support, documentation, and community portals using the same
credentials they use throughout your enterprise.
If you have not yet migrated your single sign-on (SSO) and user
management to the Platform and want to do so, write to
support for assistance.
If you are already using the Platform for SSO and want to learn more about the Identity service, click here. If you have any further questions, please reach out to your contact or write to support.
SAML-based Single Sign-On is a security configuration option available to on-premises Ultimate customers. Using SAML, integrates with your SSO environment and defers to your Service Provider and Identity Provider for authentication when anyone attempts to access your instance. This eliminates the need for separate credentials managed inside . It also gives you better control over authentication, access and more flexibility with password rules for your users.
The following diagram illustrates SAML SSO using the web application:
- This diagram illustrates an unauthenticated user flow that starts with the user trying to access the web application.
- requires an external (third-party) Service Provider. On-Premises customers are responsible for this component in addition to the Identity Provider.
The instructions below describe how to enable SAML-based SSO in an on-premises instance. If your organization uses SAML-based SSO and your Digital.ai Agility instance is on-demand (also known as hosted or SaaS) please refer to the On-Demand Single Sign-On topic.
Enabling SSO
-
Install using the default authentication.
-
Rename the 'admin' username to match the administrator's SSO username.
-
Add the following to appSettings in user.config (or create a user.config if it doesn't already exist):
-
Configure your SSO system to supply the username to Digital.ai Agility through HTTP_USER header variable
-
Configure your SSO system to protect the following Digital.ai Agility endpoints:
-
- /default.aspx
- /downloadfile.aspx
- /attachment.img
- /attachment.v1
- /export.v1
- /assetdetail.v1
- /ui.v1
- /rest-1.v1
- /roadmapping.v1
- /*.mvc
- /oauth.v1/auth
- /query.legacy.v1
Several customers have chosen to configure their SSO system to secure the entire virtual directory. When choosing this approach, you must disable SSO when installing or upgrading Analytics because that installer relies on two endpoints that are not secure in a non-SSO environment.
Once configured, authenticates users based on username supplied in HTTP_USER header variable. An 'Access Denied' message displays to users who do not have a matching username defined in .
From Dev Team concerning the SSO config: "Respecting the cache control headers is the right strategy."