Single sign-on with SAML

Requirements

  • Admin privileges in Sigma; see Account types.
  • An identity provider (IdP).

Understanding SSO and SAML

What is SAML?

SAML, Security Assertion Markup Language, is a widely used security protocol. It provides secure authentication and authorization between a service provider (SP) and an identity provider (IdP).

A service provider is the web application that you would like to gain access to. In this case, it’s Sigma.

An identity provider is a software service that performs authentication related services (Oauth, account status verification, account attribute declaration). Examples of IdPs include Okta, OneLogin, and Google SSO.

Service Provider (SP) and Identity Provider (IdP) Authentication

By default, Sigma supports SP-only authentication via the the Sigma login page. In order to additionally use IdP-initiated authentication from the IdP's console you must provide your IdP with a RelayState / StartURL

Configure SSO for your Sigma Organization

Follow the steps below to connect SSO for your Sigma organization. This is a multi-stage process that involves SAML configuration in both the IdP and Sigma.

[Step 1] Configure your Identity Provider

Confirm your Sigma Cloud Service Provider

Sigma organizations can be hosted on AWS, Azure, and GCP. Your IdP configuration will differ based on what cloud provider yours is hosted on. Before you get started, please confirm your organization's cloud provider in your Administration Portal's Account page, under the Site heading. See Technical Specifications for more information. 

Note: All GCP configurations must be custom. Do not use the Google app to configure.

company apps

Select and Configure your IdP

If your company uses Okta, you have an option to use a  pre-configured application to set up SSO access to Sigma. Please visit your IdP to understand how to use this application. Instructions can be found by searching for ‘Sigma Computing’ in your IdP’s marketplace.

If your company uses a different IdP, follow that IdP's instructions for setting up a SAML application and verify that the following fields are set.

If specified in the table below, select the value specific to your cloud.

Field

Value 

Cloud Prefix

GCP: api

AWS: aws-api

AWS-CA: api.ca.aws

AWS-EU: api.eu.aws

Azure: api.us.azure

Audience URI

https://{{prefix}}.sigmacomputing.com/api/v2/saml2/2/metadata.xml

Assertion consumer service URL / Consumer URL / Login URL / Single sign on URL

https://{{prefix}}.sigmacomputing.com/api/v2/saml2/assert

NameID format

email (“urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress”)

Attributes

 

“fullName” or  “firstName”, “lastName”

"userRole"

The userRole attribute can be set to admin, creator, or viewer.
If no userRole is set, "viewer" will be selected by default, and you will have the option to set a user's role directly within Sigma. If you set the Sigma role in your IdP after you set it in Sigma, the IdP setting overrides the userRole set in Sigma, the next time the user logs in with SSO.

 

See userRole order of precedence and user roles.


RelayState / Start URL


https://app.sigmacomputing.com/<YOUR-ORG>/finish-login

Validator

GCP:

^https:\/\/api\.sigmacomputing\.com\/api\/v2\/saml2\/assert$

AWS:

^https:\/\/aws-api\.sigmacomputing\.com\/api\/v2\/saml2\/assert$

[Step 2] Configure SAML in Sigma

  1. Open your Admin Portal by selecting Administration in the user menu at the top right of your screen.

    company apps

  2. Select the Authentication page from the left hand panel.

  3. Click the Edit button under Authentication Method and Options.

  4. Select SAML from the Authentication Method dropdown menu.

    company apps

  5. Enter your Identity Provider login / Single Sign On URL - aka SAML 2.0 Endpoint (HTTP).
    This information is found in your IdP portal.

  6. Enter your Identity provider X.509 Certificate.You can get this from your IdP.

  7. In the Export Authentication field, click Edit to allow exports to approved domains.

  8. Click Save.

Order of Precedence for User Roles

  1. A user role configured in your IdP always take precedence over a role set in Sigma.
  2. If no user role is set in your IdP, Sigma recognizes the user role set in Sigma.
  3. If no user role has been set in either your IdP or Sigma, the user role defaults to Viewer.

What is the default userRole for IdP users?

The default userRole is Viewer. This means, if one of your organization members signs up for Sigma without you specifying their userRole in your IdP, Sigma will recognize them as a Viewer.

This can be helpful, for instance, if a non-sigma user in your organization signs up to view a shared dashboard.

What happens if a user’s role is set in my IdP, but I change it in Sigma?

In this scenario, the first rule of precedence is observed: a user role configured in your IdP always take precedence over a role set in Sigma.

You can attempt to change the role from Sigma; however, the role won't write back to your IdP, and your Sigma display of the user’s role will be reset to their IdP declared role the next time they log in to Sigma.