Single Sign-On (SSO) Router

By sisense

The Single Sign-On Router provides new REST API endpoints to route login and logout JWT SSO requests based on the source request domain or URL parameter.

Important Note: The client should implement the SSO JWT handler. The SSO Router only routes to existing endpoints.

Use Case 1:
A company using a multi-tenant configuration set Sisense to use a unique domain for each tenant.
When a user browses to Sisense, Sisense recognizes the user’s domain and routes the request to the tenant's unique SSO handler. This way, each tenant has a unique SSO handler.

Use Case 2:
A company using multi-tenant configuration creates a unique URL parameter for each tenant. When a user connects to Sisense using a specific parameter, Sisense routes the request to the tenant's unique SSO handler.

Installing the SSO Router

The multi-tenant SSO provides a new SSO endpoint. This endpoint is used as the login/logout endpoint.

Windows

  1. Run the plugin installation package.
  2. The package installs a new Windows microservice “sisense.SSORouter”.
  3. Edit the microservice “config.js” file, as described below.
  4. Configure the JWT SSO to use the SSO Router endpoint as the login and logout URL, as described below.
  5. Restart the Windows “sisense.SSORouter” service.

Linux

  1. Download and extract the server-side plugin.
  2. Unzip the file.
  3. Place the /src/features/ssoRouter directory on the Sisense Linux server under the following path: /opt/sisense/storage/external-plugins/apiPlugins/plugins/.
  4. Edit the config.js, as described below.
  5. Configure the JWT SSO to use the SSO Router endpoint as the login and logout URL, as described below.
  6. Restart the ‘external-plugins’ pod to apply the changes (pods available under the ‘sisense’ namespace).

After you install the SSO Router, you will see an additional endpoint in the Swagger REST API page:

Upgrade the SSO Router

  1. Before you upgrade the SSO router, make a copy of the configuration file.
  2. Windows: run the .msi installation file.
    Linux: replace the content of the SSO router folder with the new SSO router folder, as described in the installation instructions.
  3. Replace the newly installed configuration file, with your custom configuration file.
  4. Windows: Restart the SSO Router microservice.
    Linux: Restart the ‘external-plugins’ pod.

Configuring the SSO Router

SSO Router configuration is located in a JS config file.
To configure the SSO Router, update the configuration file.

File location:

  • Linux: /ssoRouter/v1/config.js
  • Windows: /sisense/app/ssoRouter/src/features/ssoRouter/v1/config.js

The configuration file contains a configuration object with four keys:

  1. login: Object. Contains key-value pairs of the request origin and the required route URL**
  2. logout: Object. Contains key-value pairs of the request origin and  the required route URL**
  3. loginURLParameter: String. In case the login SSO handler is determined by a URL parameter, state the URL parameter name.
    To pass a URL parameter, replace all the # characters in the URL with %23.
    For example:
    http://sisense.dns.com/app/main#/home?embed=true =>
    http://sisense.dns.com/app/main%23/home?embed=true
  4. loginParameterMapping: Object. If the login SSO handler is determined by a URL parameter, state the parameter value as the key and the redirect address as the value.

* * Source:Redirect key-value pairs: The key represents the Sisense DNS. Provide the DNS with no protocol (HTTP/HTTPS) and no port.
The value is the URL to redirect to.
The keys and values can contain up to a single attribute.
The attribute will be in the format: ${attribute_name}.

Important: For login requests, if the login URL parameter is specified, the loginParameterMapping is used. If the login URL parameter is not specified, the login mapping is used.

Configuration example:

Preview

Post to LiveJournal

const config = {
    login: {
        'tenantA.com': 'http://tenantA.sso.com',
        '${attribute}.tenant': 'http://${attribute}.tenant.sso.com'
    },
    logout: {
        'tenantA.com': 'http://tenantA.main.com',
    },
    loginURLParameter: 'domain',
    loginParameterMapping: {
        1: 'http://tenantA.sso.com',
        2: 'http://tenantB.sso.com'
    }
};

Login request:

Source Domain Redirect URL Explanation
http://tenantA.com http://tenantA.sso.com Since there is no URL parameter, the Router will try to find the SSO handler URL in the ‘login’ object
https://tenantA.com http://tenantA.sso.com Since there is no URL parameter, the Router will try to find the SSO handler URL in the ‘login’ object.
The source request protocol (HTTP/HTTPS) does not take place when calculating the redirect URL.
http://a.tenant http://a.tenant.sso.com The login URL matches the template
${attribute}.tenant
http://tenantA?domain=1 http://tenantA.sso.com Since the domain parameter is provided, the SSO handler URL will be the URL that is mapped to the “domain” parameter value

Logout request:

Source Domain Redirect URL
http://tenantA.com http://tenantA.main.com

Configuring Sisense to Use the SSO Router as the Login Endpoint

  1. Open the Configuration Manager
    For Linux
    For Windows
  2. Click the Sisense logo five times to present the full list of configurations.
  3. Open the Base Configuration tab.
  4. Under the SSO section:
    1. Update the sso.loginUrl to /api/v1/ssoRouter/login
    2. If needed, update the sso.logoutUrl to /api/v1/ssoRouter/logout
  5. Click Save Base, in the top-right corner.

This is a premium Sisense add-on. For pricing details please get in touch with your CSM: Get the Add-On

1.0.0.10 – 17/09/2020
New Features and Enhancements
This release contains two new REST API endpoints: login endpoint and logout endpoint.