Single Sign-On (SSO) Router

By Sisense

Overview
Technical Details
Pricing
Release Notes

The Single Sign-On Router provides new REST API endpoints to route login and logout JWT SSO requests based on the source request domain or URL parameter.

Important Note: The client should implement the SSO JWT handler. The SSO Router only routes to existing endpoints.

Use Case 1:
A company using multi-tenant configuration defines URL parameter that will determine the user's tenant. When a user connects to Sisense and the URL parameter set to his tenant's identifier, Sisense routes the request to the tenant's unique SSO handler.

Use Case 2:
A company using multi-tenant configuration creates a unique URL parameter for each tenant. When a user connects to Sisense using a specific parameter, Sisense routes the request to the tenant's unique SSO handler.

Installing the SSO Router

The multi-tenant SSO provides a new SSO endpoint. This endpoint is used as the login/logout endpoint.

Windows

Download and extract .zip plugin.
Run the PSE.Sisense.SSORouter.msi installer from /ssoRouter/Windows. The package installs a new Windows microservice “sisense.SSORouter”.
Edit the microservice “config.js” file, as described below.
Configure the JWT SSO to use the SSO Router endpoint as the login and logout URL, as described below.
Restart the Windows “sisense.SSORouter” service.

Linux

Download and extract the .zip plugin.
Place the /ssoRouter/Linux/ssoRouter directory on the Sisense Linux server under the following path: /opt/sisense/storage/external-plugins/apiPlugins/plugins/.
Edit the config.js, as described below.
Configure the JWT SSO to use the SSO Router endpoint as the login and logout URL, as described below.
Restart the ‘external-plugins’ pod to apply the changes (pods available under the ‘sisense’ namespace).

After you install the SSO Router, you will see an additional endpoint in the Swagger REST API page:

Upgrade the SSO Router

Before you upgrade the SSO router, make a copy of the configuration file.
Windows: run the .msi installation file.
Linux: replace the content of the SSO router folder with the new SSO router folder, as described in the installation instructions.
Replace the newly installed configuration file, with your custom configuration file.
Windows: Restart the SSO Router microservice.
Linux: Restart the ‘external-plugins’ pod.

Configuring the SSO Router

SSO Router configuration is located in a JS config file.
To configure the SSO Router, update the configuration file.

File location:

Linux: /ssoRouter/v1/config.js
Windows: /sisense/app/ssoRouter/src/features/ssoRouter/v1/config.js

The configuration file contains a configuration object with four keys:

login: Object. Contains key-value pairs of the request origin and the required route URL**
logout: Object. Contains key-value pairs of the request origin and the required route URL**
loginURLParameter: String. In case the login SSO handler is determined by a URL parameter, state the URL parameter name.
To pass a URL parameter, replace all the # characters in the URL with %23.
For example:
http://sisense.dns.com/app/main#/home?embed=true =>
http://sisense.dns.com/app/main%23/home?embed=true
loginParameterMapping: Object. If the login SSO handler is determined by a URL parameter, state the parameter value as the key and the redirect address as the value.

* * Source:Redirect key-value pairs: The key represents the Sisense DNS. Provide the DNS with no protocol (HTTP/HTTPS) and no port.
The value is the URL to redirect to.
The keys and values can contain up to a single attribute.
The attribute will be in the format: ${attribute_name}.

Important: For login requests, if the login URL parameter is specified, the loginParameterMapping is used. If the login URL parameter is not specified, the login mapping is used.

Configuration example:

Preview

Post to LiveJournal

const config = {
    login: {
        'tenantA.com': 'http://tenantA.sso.com',
        '${attribute}.tenant': 'http://${attribute}.tenant.sso.com'
    },
    logout: {
        'tenantA.com': 'http://tenantA.main.com',
    },
    loginURLParameter: 'domain',
    loginParameterMapping: {
        1: 'http://tenantA.sso.com',
        2: 'http://tenantB.sso.com'
    }
};

Source Domain	Redirect URL	Explanation
http://tenantA.com	http://tenantA.sso.com	Since there is no URL parameter, the Router will try to find the SSO handler URL in the ‘login’ object
https://tenantA.com	http://tenantA.sso.com	Since there is no URL parameter, the Router will try to find the SSO handler URL in the ‘login’ object. The source request protocol (HTTP/HTTPS) does not take place when calculating the redirect URL.
http://a.tenant	http://a.tenant.sso.com	The login URL matches the template ${attribute}.tenant
http://tenantA?domain=1	http://tenantA.sso.com	Since the domain parameter is provided, the SSO handler URL will be the URL that is mapped to the “domain” parameter value

Logout request:

Source Domain	Redirect URL
http://tenantA.com	http://tenantA.main.com

Configuring Sisense to Use the SSO Router as the Login Endpoint

Open the Configuration Manager
For Linux
For Windows
Click the Sisense logo five times to present the full list of configurations.
Open the Base Configuration tab.
Under the SSO section:
1. Update the sso.loginUrl to /api/v1/ssoRouter/login
2. If needed, update the sso.logoutUrl to /api/v1/ssoRouter/logout
Click Save Base, in the top-right corner.

This is a premium Sisense add-on. For pricing details please get in touch with your CSM: Get the Add-On

1.0.0.10 – 17/09/2020
New Features and Enhancements
This release contains two new REST API endpoints: login endpoint and logout endpoint.

1.0.0.11 – 04/12/2020
Was added support for Linux 8.2.1, 8.2.6 and Windows 8.2.4