Single-Sign-On login is a password-less way to authenticate to AT Internet.
The user only has to be logged in to his internal platform to login to the Analytics Suite.
APPLY YOUR PASSWORD POLICY
The only required password is the one on your internal platform, which can be restricted accordingly to your IT teams requirements.
NoteTurning a standard user into a SSO user will delete his AT Internet password.
CONTROL USER'S ACCESS
Since authentication is based on your internal platform access, you can cut the access to our solutions and many others, by deleting the user from your Active Directory.
NoteDeleting a user from the Active Directory, does not delete it from our solutions, the user will not be able to login but his API Keys will work.
If needed you can still rely on our API Keys' API to check the use of API Keys.
RELY ON SECURED PROTOCOLS
The SSO option is based on SAML 2.0 and OpenID processes making it compatible with most SSO user management systems.
SSO OPTION IS PER ORGANISATION
Any user listed in your organisation can be switched to SSO.
STANDARD AND SSO USERS CAN COEXIST
On an SSO organisation, you can have SSO users and standard users as well to allow users not listed in your Active Directory to login to your organisation.
SSO USERS CANNOT BE MULTI-ORGANISATION
An SSO user can only be listed in one organisation because it would otherwise imply that your internal accesses allow authentication to another organisation.
FREE ACTIVATION AND USE
The SSO option, does not imply any additional fees, just a setup that is entirely free.
- iOS Explorer app does not yet provide SSO login
- Some partnership integration may require some adaptations, please check if your integration is SSO compatible
- Users on SSO accounts will no longer be able to trigger API calls based on their former passwords, they will have to update them with API Keys making sure the domain is api.atinternet.io.
To activate the SSO option, please reach out to support teams with these information:
Text you want to specify to login through your AD from our login page used in our configurations:
- ATI Authentication URL: https://sso.atinternet-solutions.com/CompanyLabelName/login
- ATI Validation URL: https://sso.atinternet-solutions.com/CompanyLabelName/assert
Should the user be redirected to our login page or another page when he logs out? If so which one?
Should the user added to your Active Directory be automatically imported to our user listing (it will not give them any right outside than all users groups)
SAML 2.0 OR OPENID CONFIGURATION
Please specify the desired configuration and its respective setup as listed below.
SAML 2.0 CONFIGURATION
Please provide your metadata file based on the "nameid-format:emailAddress", including your login URL and your X.509 certificate
Please provide your ServiceProvider map including client id and client secret, and also your IdentityProvider map including authorization endpoint, issuer, jwks, uri, token endpoint (potentially identity token and user endpoint as well).
Do you want to switch all users from standard to SSO users, or only some users? If so, could you please specify the concerned users? Please also specify a user on which you could test the SSO setup before applying it to all users.
ProcessOnce you provided these information to our support team, our tech team will be able to turn on SSO.
Then with the test user requested ealier, our tech team will be able to switch him to a SSO account.
After your behaviour validation, we will switch the specified list of users to SSO accounts.
With the SSO option enabled, user creation form gets a dedicated tickbox, ticked by default to set the user as a SSO user.
Auto Provisioning mode
According to your SSO configuration as detailed in the Description section, you may only rely on your Active Directory to add users automatically.
Any user added to your Active Directory will be added to the Analytics Suite user listing.
Though, it will not give them access rights (unless your organisation has a group applied to all users).
If a user is listed as SSO on your organisation, the SSO section of the user's page in Access Rights will be displayed.
If you want to see the SSO users among your users list, please click on the Download button above the users table, and check the export file.
From the login page click on the top right link named Single Sign On, and fill in your CompanyLabel before submitting your login request.
The CompanyLabel is set in your organisation configuration, then share it to your users and they’re good to go (depending on their rights).
Since SSO users do not have a password they need to rely on API Keys to authenticate to external API calls.
Find out more on API Keys.