Single Sign On

Let users log in to the Sensolus platform using your Identity Provider system, avoiding extra passwords.

Using an external identity provider

Using your organization identity provider will simplify all user management on the Sensolus platform significantly. At the same time it will ensure that users only need to remember one password and that your organization password policy is used ( complexity rules, multi factor authentication). When an external identity provider is enabled, no user passwords need to be stored in the Sensolus platform. All authentication requests are delegated to the identity provider of your choice.

The Sensolus platform supports both OpenID connect and SAMLv2 as SSO options. That covers most identity providers used like Microsoft Azure, Google G-Suite, ...

The goal of this documentation is not to explain in detail how it all technically works but the high level authentication flow is:

  1. The user navigates to the Sensolus platform login page for his organization.
  2. If SSO is enabled he will be redirected to his organizational login page. That redirection contains a shared secret between Sensolus and the identity provider.
  3. The user logs in with his organization credentials (or his authentication token is still valid and nothing is asked). On success a redirection happens to the Sensolus login page. That redirection URL contains a token. There is no Sensolus server involvement at this stage. This all happens in the browser.
  4. The browser passes the token to the Sensolus server. The Sensolus server checks with the identity provider if the token is really valid. If that is the case a Sensolus token is generated and the user is allowed into the application.

The Sensolus platform allows to mix and match users which are locally authenticated with users which are authenticated by the external identity management system.

Configuring Single sign on

  1. Go to Admin > Access Management > Single sign on. In the identity provider drop-down, select the protocol that your identity provider is using:
    • OpenID Connect identity provider:

    • SAML identity provider:

    Note: The redirect URL is the following: basurl/rest/authentication/login/acs/externalIdp
  2. Complete all the required fields. The configuration values are provided by your identity management system.
  3. The auto registration of new user option determines whether users which are authenticated by the identity provider but which are not yet known in the Sensolus system are automatically created. Enabling this is the fastest way to quickly on-board new trusted users. If the check box is selected a set a new options appear. Those options determine the default values for that newly created users. In most cases, it is recommended to select a user role with limited permissions to those automatically on-boarded users.

Disabling single sign on

Set the Identity Provider to 'Use Sensolus as identity provider', to disable SSO.