Single Sign-On (SSO) integrates authentication between applications on multiple networks and cloud-based services such as Project Insight. The configuration of SSO requires a network administrator who is familiar with your businesses internal security systems and has experience integrating Identity Providers (IdP) such as Active Directory Federated Services (ADFS) with your internal authentication systems such as Active Directory or LDAP.
It is important to know that Single Sign-On does not equate to Automatic Sign-on. The purpose of Single Sign-On is to allow the individuals of your organization to login using a single unified set of credentials; this is most often Active Directory. A user must still be created in project insight for every individual who will be using Project Insight, but an External User Identity is associated with each user which will allow them to automatically login. When a user goes to login to project insight they will be redirected to your specified Identity Provider where they enter their organization’s credentials to authenticate.
There are several Web Based Protocols for Single Sign-On. Project Insight and Active Directory Federated Services Supports SAML 2.0 Protocol. SAML 2.0 is widely used and secure authentication protocols that can be integrated with any organizations authentication system.
The configuration for SSO is described in the following sections.
Useful Single Sign-on Tricks
Misconfigurations will happen. Your certificate expires, your IT personnel change your server name without filling out a risk assessment, you are new to single sign-on and charged with setting it up.
To help in situations like these we have a few useful URL parameters that have made our life easier when creating the Single Sign-on system. These parameters can be mixed and matched in any combination of ways.
- enableDebugSSO one of the most important options when trouble shooting your sso configuration, this will output a multitude of useful information from the PI endpoints, to how far the authentication process got before something went wrong and even what the Issuer identifier on the SSO response was. Set this to "true" to turn it on for 5 minutes.
- disablePrimarySSO when you have disabled the default PI login and something is wrong with your SSO configuration you can turn off the automatic redirect to your Identity Provider by setting this flag to "true"
- ssoAutoLogin this flag uses the alias either created or set when you created your sso config. When set it will trigger the SSO authentication by the specified alias automatically when you go to the login page.
It is important to recognize a miss configuration with Project Insight versus a miss configuration with your identity Provider. Most of the time if you actually see the Project Insight screen but there is a problem with authentication, there is a very good chance that it is simply a miss configuration with PI. Turn on SSO Debugging and try again to get the details of why it failed. If you do not see the PI login screen, however, this is a good indicator that the "Trust" relationship between Project Insight and your Identity Provider has not been setup properly.