English (GB) Français
Contact support Messages history
English (GB) Français
  1. Help centre
  2. Products
  3. Access rights
See all articles

Single-Sign-On (SSO)

Alexandre Cazaurang
  • Updated

Description

Single-Sign-On login is a password-less way to authenticate to Piano Analytics.
The user only has to be logged in to his corporate portal to login to Piano Analytics.

Main principles

APPLY YOUR PASSWORD POLICY

The only required password is the one on your corporate portal, which can be set to match your IT teams requirements.

Note
Turning a standard user into a SSO user will delete his Piano Analytics password.

CONTROL USER'S ACCESS 

Since authentication is based on your corporate portal access, you can cut the access to our solutions and many others, by deleting the user from your Active Directory.

Note
Deleting a user from the Active Directory, does not delete it from our solutions, the user will not be able to login but his API Keys will work.
If needed you can still rely on our API to check the use of API Keys.

RELY ON SECURED PROTOCOLS

The SSO feature is based on SAML 2.0 and OpenID Connect processes making it compatible with most Identity Providers (IdP).

SSO FEATURE IS PER ORGANISATION

Any user listed in your organisation can be switched to SSO.

STANDARD AND SSO USERS CAN COEXIST

On an SSO organisation, you can have SSO users and standard users as well to allow users not listed in your Active Directory to login to your organisation.

SSO USERS CANNOT BE MULTI-ORGANISATION

An SSO user can only be listed in one organisation.

FREE ACTIVATION AND USE

The SSO feature, does not imply any additional fees.

Important
  • Some partnership integration may require some adaptations, please check if your integration is SSO compatible
  • Users on SSO accounts will no longer be able to trigger API calls based on their former passwords, they will have to update them with API Keys making sure the domain is api.atinternet.io.

 

Activation

To activate the SSO feature, please reach out to support teams with these information:

ORGANISATION

Please provide us the name of your organisation to be used in:
- The "Company Label" text field to authenticate with SSO from our dedicated login page.
- The Identity Provider configuration(IdP):

SAML 2.0 OpenID Connect

ATI Authorization URL:
https://sso.atinternet-solutions.com/{organisation}/login

ATI Assertion URL:
https://sso.atinternet-solutions.com/{organisation}/assert

ATI Authorization URL:
https://sso.atinternet-solutions.com/{organisation}/login

ATI Redirect URL:
https://sso.atinternet-solutions.com/{organisation}/callback

 

CONFIGURATION

SAML 2.0 OpenID Connect

 Please provide us:
- your login URL
- your X.509 certificate

 

We will then, provide you with a XML metadata file to add to your Identity Provider.

Please provide us:
- your client_id (identifier dedicated to the app and used by AT Internet to login)

- your secret_client (secret provided by your Identity Provider and used by AT Internet to login)

- the OpenId Connect configuration URL given by your provider under this format:
https://{oauth-provider-hostname}/.well-known/openid-configuration

 

LOGOUT BEHAVIOUR

Should the user be redirected to our login page or another page when he logs out? If so which one?

 

AUTO PROVISIONING

Should the user added to your Active Directory be automatically imported to our user listing (it will not give them any right outside than all users groups)

 

USER SWITCH

Do you want to switch all users from standard to SSO users, or only some users? If so, could you please specify the concerned users? Please also specify a user on which you could test the SSO setup before applying it to all users.

Process
Once you provided these information to our support team, our tech team will be able to turn on SSO.
Then with the test user requested ealier, our tech team will be able to switch him to a SSO account.
After your behaviour validation, we will switch the specified list of users to SSO accounts.

 


User creation

User form

With the SSO feature enabled, user creation form gets a dedicated tickbox, ticked by default to set the user as a SSO user.

sso-02.png

 

User identification

User page

If a user is listed as SSO on your organisation, the SSO section of the user's page in Access Rights will be displayed.

sso-01.png
Users export

If you want to see the SSO users among your users list, please click on the Download button above the users table, and check the export file.

Authentication

Note

Login can be set from your corporate portal or directly from our login page.

Login page

From the login page click on the bottom right link named Single Sign On, and fill in your CompanyLabel before submitting your login request.

sso-03.png

Note

The CompanyLabel is set in your organisation configuration, then share it to your users and they’re good to go (depending on their rights).


API Keys

Since SSO users do not have a password they need to rely on API Keys to authenticate to external API calls.
Find out more on API Keys.

Articles in this section