Single Sign-On with SAML
As a Sigma Admin, you can configure your organization to use Single Sign-On (SSO) Authentication with any platform that supports SAML: Okta, OneLogin, and Google SSO etc. You can also configure Sigma to your custom SAML implementation.
Summary of Content
Requirements
Understanding SSO and SAML
What is SAML?
SP and IdP Authentication
Configuring SSO for your Sigma Organization
[Step 1] Configure your Identity Provider
[Step 2] Configure SAML in Sigma
Order of Precedence for User Roles
What is the default userRole for IdP users?
What will happen if a user’s role is declared in my IdP, but I change it in Sigma?
Related Resources
Requirements
- Admin privileges in Sigma; see Account types.
- An identity provider (IdP).
Understanding SSO and SAML
What is SAML?
SAML, Security Assertion Markup Language, is a widely used security protocol. It provides secure authentication and authorization between a service provider (SP) and an identity provider (IdP).
A service provider is the web application that you would like to gain access to. In this case, it’s Sigma.
An identity provider is a software service that performs authentication related services (Oauth, account status verification, account attribute declaration). Examples of IdPs include Okta, OneLogin, and Google SSO.
Service Provider (SP) and Identity Provider (IdP) Authentication
By default, Sigma supports SP-only authentication via the the Sigma login page. In order to additionally use IdP-initiated authentication from the IdP's console you must provide your IdP with a RelayState / Start URL.
Configure SSO for your Sigma Organization
Follow the steps below to connect SSO for your Sigma organization. This is a multi-stage process that involves SAML configuration in both the IdP and Sigma.
[Step 1] Configure your Identity Provider
Confirm your Sigma Cloud Service Provider
Sigma organizations can be hosted on AWS, Azure, and GCP. Your IdP configuration will differ based on what cloud provider yours is hosted on. Before you get started, please confirm your organization's cloud provider in your Administration Portal's Account page, under the Site heading. See Technical Specifications for more information.
Note: All GCP configurations must be custom. Do not use the Google app to configure.
Select and Configure your IdP
If your company uses Okta, you have an option to use a pre-configured application to set up SSO access to Sigma. Please visit your IdP to understand how to use this application. Instructions can be found by searching for ‘Sigma Computing’ in your IdP’s marketplace.
If your company uses a different IdP, follow that IdP's instructions for setting up a SAML application and verify that the following fields are set.
If specified in the table below, select the value specific to your cloud.
Field |
Value |
Cloud Prefix |
GCP: api AWS: aws-api AWS-CA: api.ca.aws AWS-EU: api.eu.aws Azure: api.us.azure |
Audience URI |
https://{{prefix}}.sigmacomputing.com/api/v2/saml2/2/metadata.xml |
Assertion consumer service URL / Consumer URL / Login URL / Single sign on URL |
https://{{prefix}}.sigmacomputing.com/api/v2/saml2/assert |
NameID format |
email (“urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress”) |
Attributes
|
“fullName” or “firstName”, “lastName” |
"userRole" The userRole attribute can be set to admin, creator, or viewer.
See userRole order of precedence and user roles. |
|
|
https://app.sigmacomputing.com/<YOUR-ORG>/finish-login |
Validator |
GCP: ^https:\/\/api\.sigmacomputing\.com\/api\/v2\/saml2\/assert$
AWS: ^https:\/\/aws-api\.sigmacomputing\.com\/api\/v2\/saml2\/assert$
|
[Step 2] Configure SAML in Sigma
- Open your Admin Portal by selecting Administration in the user menu at the top right of your screen.
- Select the Authentication page from the left hand panel.
- Click the Edit button under Authentication Method and Options.
- Select SAML from the Authentication Method dropdown menu.
-
Enter your Identity Provider login / Single Sign On URL - aka SAML 2.0 Endpoint (HTTP).
This information is found in your IdP portal. -
Enter your Identity provider X.509 Certificate.
You can get this from your IdP. - In the Export Authentication field, click Edit to allow exports to approved domains.
-
Click Save.
Order of Precedence for User Roles
- A user role configured in your IdP always take precedence over a role set in Sigma.
- If no user role is set in your IdP, Sigma recognizes the user role set in Sigma.
- If no user role has been set in either your IdP or Sigma, the user role defaults to Viewer.
What is the default userRole for IdP users?
The default userRole is Viewer. This means, if one of your organization members signs up for Sigma without you specifying their userRole in your IdP, Sigma will recognize them as a Viewer.
This can be helpful, for instance, if a non-sigma user in your organization signs up to view a shared dashboard.
What happens if a user’s role is set in my IdP, but I change it in Sigma?
In this scenario, the first rule of precedence is observed: a user role configured in your IdP always take precedence over a role set in Sigma.
You can attempt to change the role from Sigma; however, the role won't write back to your IdP, and your Sigma display of the user’s role will be reset to their IdP declared role the next time they log in to Sigma.
Related Resources
Manage Authentication
Managing Users and Teams with SCIM
How to Configure SAML 2.0 for [Okta and] Sigma on GCP (Okta documentation)
How to Configure SAML 2.0 for [Okta and] Sigma on AWS (Okta documentation)
Configure [Azure and] Sigma Computing for automatic user provisioning (Azure documentation)
Custom Session Timeouts
OAuth with Snowflake
Single Sign-On with Sigma and Okta (QuickStarts)