Single Sign-On (SSO)
The Satori management console supports SAML-based single sign-on (SSO). By using SSO, you can benefit from single user management, a smooth authentication process and simpler user tracking.
Satori SSO supports IdP (Identity Provider) initiated flow and SAML 2.0 protocol only. Satori supports different IdP vendors, see below instructions for configuration.
The SSO configuration process requires the following:
- Enabling SSO in the Satori management console
- Creating a Satori SAML-2.0 application in your identity provider (IdP)
- Copying the SAML metadata from your IdP to Satori
- Assigning users to the Satori app in your IdP
SSO Configuration
In order to use SSO for your account, go to Settings, then select Account Settings and enable the SSO feature. This requires Account Admin permissions. The SAML configuration has 2 sections:
Satori URL
- provided by Satori and should be copied to your IdP's configuration.SAML Metadata XML
- provided by your IdP and will be used by Satori.
In your IdP, create a new SAML-2.0 application, and configure following fields:
- Application URL - copy the Satori URL
field from the SSO settings in the management console.
- NameID
is set to be the user's email address.
- firstName
and lastName
attributes contain the user's first and last names respectively.
Sessions initiated by your IdP, timeout after 12 hours. You can configure the session timeout in the SSO settings in the Satori management console.
User Management
When you enable SSO on your Satori account, existing users can also login using their password. This is so that you avoid locking users out of your account. After the first time account login using SSO the password access can be disabled for your existing users from the Settings / User Management page.
Satori automatically creates a user instance for new users that login to Satori via SSO for the first time, set with the default Data Consumer role. The account admin can change this role in the User Management page. Password authentication is disabled for new users that use SSO to login for the first time.
Defining User Roles
You can use your IdP to manage role assignmet to users instead of managing roles in the Satori management console. Follow these steps to configure role management in your IdP:
- Add a new attribute in the user profile of your IdP to store which role each user should be granted to in Satori. For example:
Satori Role
. - For each user, define the value of the
Satori Role
attribute. See the available options below. - Add a new attribute called
satori_role
in the Satori SAML application and set its value to theSatori Role
user profile attribute you created in the first step.
Now, when users login to Satori via SSO, Satori will override their role with the value set in the satori_role
attributed.
Valid Role Values
Account Admin
Account Editor
Account Reader
Data Steward
Data Consumer
IdP Provider Configuration
Satori supports any SAML-2.0 identity provider. The following section provides the instructions for a few specific ones.
Okta
- Create a new Okta application by following these instructions with Admin Dashboard.
- Platform:
Web
- Sign on method:
SAML 2.0
- Platform:
- Check the
Use this for Recipient URL and Destination URL
checkbox. - Copy the
Satori URL
field and paste it to the following:- Single sign on URL
- Audience URI (SP Entity ID)
- Configure the following fields:
- Name ID format:
EmailAddress
- EmailAddress:
Email
- Name ID format:
- Define
Attribute Statements
with- firstName:
user.firstName
- lastName:
user.lastName
- firstName:
- Once created, copy the
IdP metadata XML
from theSign on
tab of your newly created application to the Satori SSO settings. - Assign Users or Groups and activate the application.
Azure Active Directory
- Go to the Enterprise Applications page and create a new application.
- In the Azure AD Gallery page, select Create Your Own Application.
- Provide a name for your application, for example:
Satori
and select theIntegrate any other application you don't find in the gallery (Non-gallery)
option. Click Create. - Navigate to the Single Sign On page and select Edit in Basic SAML Configuration.
- Copy the
Satori URL
field and paste it to the following:- Identifier (Entity ID)
- Reply URL (Assertion Consumer Service URL)
- Select Edit in the User Attributes & Claims, and add the following claims:
- firstName:
user.givenname
- lastName:
user.surname
- Download the
Federation Metadata XML
from SAML Signing Certificate and copy its contents to the Satori SSO settings page. - Assign Users or Groups and activate the application.
To gain further understandings and insights for Azure SSO watch the short video series.
Azure SSO Video Tutorial
- Create a new Google application by following these instructions.
- Download the
IdP metadata
xml file from theGoogle IdP Information
window of your newly created application and paste its content to the Satori SSO settings. - Copy the
Satori URL
field to the following in theService Provider Details
window:- ACS URL
- Entity ID
- Configure the following fields:
- Name ID:
Primary Email
- Name ID format:
email
- Name ID:
- Define the following mappings in the
Attribute Mapping
window:- firstName:
First Name
- lastName:
Last Name
- firstName:
- Assign Users or Groups and activate the application.