Single sign-on with SAML

Requirements

  • Admin privileges in Sigma; see Account types.
  • An identity provider (IdP).

Understanding SSO and SAML

What is SAML?

SAML, Security Assertion Markup Language, is a widely used security protocol. It provides secure authentication and authorization between a service provider (SP) and an identity provider (IdP).

A service provider is the web application that you would like to gain access to. In this case, it’s Sigma.

An identity provider is a software service that performs authentication related services (Oauth, account status verification, account attribute declaration). Examples of IdPs include Okta, OneLogin, and Google SSO.

Service Provider (SP) and Identity Provider (IdP) Authentication

By default, Sigma supports SP-only authentication via the the Sigma login page. In order to additionally use IdP-initiated authentication from the IdP's console you must provide your IdP with a RelayState / StartURL

Configure SSO for your Sigma Organization

Follow the steps below to connect SSO for your Sigma organization. This is a multi-stage process that involves SAML configuration in both the IdP and Sigma.

[Step 1] Configure your Identity Provider

Confirm your Sigma Cloud Service Provider

Sigma organizations can be hosted on AWS, Azure, and GCP. Your IdP configuration will differ based on what cloud provider yours is hosted on. Before you get started, please confirm your organization's cloud provider in your Administration Portal's Account page, under the Site heading. See Technical Specifications for more information. 

Note: All GCP configurations must be custom. Do not use the Google app to configure.

company apps

Select and Configure your IdP

If your company uses Okta, you have an option to use a  pre-configured application to set up SSO access to Sigma. Please visit your IdP to understand how to use this application. Instructions can be found by searching for ‘Sigma Computing’ in your IdP’s marketplace.

If your company uses a different IdP, follow that IdP's instructions for setting up a SAML application and verify that the following fields are set.

If specified in the table below, select the value specific to your cloud.

FieldValue
Cloud PrefixGCP: api
AWS: aws-api
AWS-CA: api.ca.aws
AWS-EU: api.eu.aws
Azure: api.us.azure
Audience URIhttps://{{prefix}}.sigmacomputing.com/api/v2/saml2/2/metadata.xml
Assertion consumer service URL / Consumer URL / Login URL / Single sign on URLhttps://{{prefix}}.sigmacomputing.com/api/v2/saml2/assert
NameID formatemail (“urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress”)
Attributes

“fullName” or “firstName”, “lastName”

"userRole"

The userRole attribute can be set to lite, essential, pro, or admin (default account types). It also supports viewer and creator (former default account types).

If userRole isn't set, lite is applied by default, and you have the option to set a user's role directly within Sigma. If you set the role in your IdP after setting it in Sigma, the IdP setting overrides the userRole set in Sigma during the next user session.

See userRole order of precedence and account types.

RelayState / Start URLhttps://app.sigmacomputing.com/<YOUR-ORG>/finish-login
ValidatorGCP: ^https\:\/\/api\.sigmacomputing\.com\/api\/v2\/saml2\/assert$
AWS: ^https\:\/\/aws-api\.sigmacomputing\.com\/api\/v2\/saml2\/assert$

[Step 2] Configure SAML in Sigma

  1. Open your Admin Portal by selecting Administration in the user menu at the top right of your screen.

    company apps

  2. Select the Authentication page from the left hand panel.

  3. Click the Edit button under Authentication Method and Options.

  4. Select SAML from the Authentication Method dropdown menu.

    company apps

  5. Enter your Identity Provider login / Single Sign On URL - aka SAML 2.0 Endpoint (HTTP).
    This information is found in your IdP portal.

  6. Enter your Identity provider X.509 Certificate.You can get this from your IdP.

  7. In the Export Authentication field, click Edit to allow exports to approved domains.

  8. Click Save.

userRole order of precedence

  1. A user role configured in your IdP always take precedence over an account type set in Sigma.
  2. If a user role isn't set in your IdP, Sigma recognizes the account type set in Sigma.
  3. If a user role isn't set in your IdP, and no account type is set in Sigma, the user role defaults to lite.

What is the default userRole for IdP users?

The default userRole is lite. This means, if an organization member signs up for Sigma without you specifying their userRole in your IdP, Sigma assigns the default Lite account type.

This can be helpful, for instance, if a non-Sigma user in your organization signs up to view a shared dashboard.

What happens if a user’s role is set in my IdP, but I change it in Sigma?

In this scenario, the first rule of precedence is observed: a user role configured in your IdP always take precedence over a role set in Sigma.

You can attempt to change the role from Sigma; however, the role won't write back to your IdP, and your Sigma display of the user’s role will be reset to their IdP declared role the next time they log in to Sigma.