Skip to content

Single Sign-On (SSO)

The Satori management console supports SAML-based single sign-on (SSO). By using SSO, you can benefit from single user management, a smooth authentication process and simpler user tracking.

Satori SSO supports IdP (Identity Provider) initiated flow and SAML 2.0 protocol only. Satori supports different IdP vendors, see below instructions for configuration.

The SSO configuration process requires the following:

  1. Enabling SSO in the Satori management console
  2. Creating a Satori SAML-2.0 application in your identity provider (IdP)
  3. Copying the SAML metadata from your IdP to Satori
  4. Assigning users to the Satori app in your IdP

SSO Configuration

In order to use SSO for your account, go to Settings, then select Account Settings and enable the SSO feature. This requires Account Admin permissions. The SAML configuration has 2 sections:

  1. Satori URL - provided by Satori and should be copied to your IdP's configuration.
  2. SAML Metadata XML - provided by your IdP and will be used by Satori.

In your IdP, create a new SAML-2.0 application, and configure following fields: - Application URL - copy the Satori URL field from the SSO settings in the management console. - NameID is set to be the user's email address. - firstName and lastName attributes contain the user's first and last names respectively.

Sessions initiated by your IdP, timeout after 12 hours. You can configure the session timeout in the SSO settings in the Satori management console.

User Management

When you enable SSO on your Satori account, existing users can also login using their password. This is so that you avoid locking users out of your account. After the first time account login using SSO the password access can be disabled for your existing users from the Settings / User Management page.

Satori automatically creates a user instance for new users that login to Satori via SSO for the first time, set with the default Data Consumer role. The account admin can change this role in the User Management page. Password authentication is disabled for new users that use SSO to login for the first time.

Defining User Roles

You can use your IdP to manage role assignmet to users instead of managing roles in the Satori management console. Follow these steps to configure role management in your IdP:

  1. Add a new attribute in the user profile of your IdP to store which role each user should be granted to in Satori. For example: Satori Role.
  2. For each user, define the value of the Satori Role attribute. See the available options below.
  3. Add a new attribute called satori_role in the Satori SAML application and set its value to the Satori Role user profile attribute you created in the first step.

Now, when users login to Satori via SSO, Satori will override their role with the value set in the satori_role attributed.

Valid Role Values

  • Account Admin
  • Account Editor
  • Account Reader
  • Data Steward
  • Data Consumer

IdP Provider Configuration

Satori supports any SAML-2.0 identity provider. The following section provides the instructions for a few specific ones.

Okta

  1. Create a new Okta application by following these instructions with Admin Dashboard.
    • Platform: Web
    • Sign on method: SAML 2.0
  2. Check the Use this for Recipient URL and Destination URL checkbox.
  3. Copy the Satori URL field and paste it to the following:
    • Single sign on URL
    • Audience URI (SP Entity ID)
  4. Configure the following fields:
    • Name ID format: EmailAddress
    • EmailAddress: Email
  5. Define Attribute Statements with
    • firstName: user.firstName
    • lastName: user.lastName
  6. Once created, copy the IdP metadata XML from the Sign on tab of your newly created application to the Satori SSO settings.
  7. Assign Users or Groups and activate the application.

Azure Active Directory

  1. Go to the Enterprise Applications page and create a new application.
  2. In the Azure AD Gallery page, select Create Your Own Application.
  3. Provide a name for your application, for example: Satori and select the Integrate any other application you don't find in the gallery (Non-gallery) option. Click Create.
  4. Navigate to the Single Sign On page and select Edit in Basic SAML Configuration.
  5. Copy the Satori URL field and paste it to the following:
    • Identifier (Entity ID)
    • Reply URL (Assertion Consumer Service URL)
  6. Select Edit in the User Attributes & Claims, and add the following claims:
  7. firstName: user.givenname
  8. lastName: user.surname
  9. Download the Federation Metadata XML from SAML Signing Certificate and copy its contents to the Satori SSO settings page.
  10. Assign Users or Groups and activate the application.

To gain further understandings and insights for Azure SSO watch the short video series.

Azure SSO Video Tutorial

Google

  1. Create a new Google application by following these instructions.
  2. Download the IdP metadata xml file from the Google IdP Information window of your newly created application and paste its content to the Satori SSO settings.
  3. Copy the Satori URL field to the following in the Service Provider Details window:
    • ACS URL
    • Entity ID
  4. Configure the following fields:
    • Name ID: Primary Email
    • Name ID format: email
  5. Define the following mappings in the Attribute Mapping window:
    • firstName: First Name
    • lastName: Last Name
  6. Assign Users or Groups and activate the application.