Single Sign-On with SAML
As a Sigma Admin, you can configure your organization to use Single Sign-On (SSO) Authentication with any platform that supports SAML (ie Okta, OneLogin and Google SSO). You may also choose to configure Sigma to your own custom implementation that uses SAML.
Summary of Content
Requirements
Understanding SSO and SAML
What is SAML?
SP vs IdP Initiated Authentication
Configuring SSO for your Sigma Organization
[Step 1] Configure your Identity Provider
[Step 2] Configure SAML in Sigma
Order of Precedence for User Roles
What is the default userRole for IdP users?
What will happen if a user’s role is declared in my IdP, but I change it in Sigma?
Related Resources
Requirements
- Admin privileges in Sigma Learn more about account types.
- An identity provider (IdP).
Understanding SSO and SAML
What is SAML?
SAML, short for “Security Assertion Markup Language”, is a widely used security protocol. It provides secure authentication and authorization between a service provider (SP) and an identity provider (IdP).
A service provider is the web application that you would like to gain access to. In this case, it’s Sigma!
An identity provider is a software service that performs authentication related services (Oauth, account status verification, account attribute declaration). Examples of IdPs include Okta, OneLogin, and Google SSO.
SP vs IdP Initiated Authentication
Sigma supports the configuration of both SP-initiated and IdP-initiated authentication. This means your organization members can choose to login to Sigma from either your IdP console or your Sigma login page.
Configuring SP-initiated authentication is optional. If you would like to enable this option, you will need to provide your IdP with a “RelayState / Start URL”.
Configure SSO for your Sigma Organization
Connecting your organization to an IdP is a multi-stage process that involves SAML configuration in both the IdP and Sigma.
[Step 1] Configure your Identity Provider
Confirm your Sigma Cloud Service Provider
Sigma supports running on both AWS and GCP. Your organization's cloud will impact IdP configuration. Before you get started, please confirm your organization's Cloud service on your Admin Portal's Account page, under the Site heading.
Select and Configure your IdP
If your company uses Okta, OneLogin or Google SSO, you will have an option to use a pre-configured application to set up SSO access to Sigma. Please visit your IdP to learn how to use this application. Instructions can be found by searching for ‘Sigma Computing’ in your IdP’s marketplace.
If your company uses a different IdP, follow that IdP's instructions for setting up a SAML application and make sure the following fields are set.
Note: If specified in the table below, select the value specific to your cloud.
Field |
Value |
Audience URI |
GCP: https://api.sigmacomputing.com/api/v2/saml2/2/metadata.xml AWS: https://aws-api.sigmacomputing.com/api/v2/saml2/2/metadata.xml |
Assertion consumer service URL / Consumer URL / Login URL / Single sign on URL |
|
NameID format |
email (“urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress”) |
Attributes
|
“fullName” or “firstName”, “lastName” |
"userRole" The userRole attribute can be set to "admin", "creator", "explorer" or "viewer". |
|
|
https://app.sigmacomputing.com/<YOUR-ORG>/finish-login |
Validator |
GCP: ^https:\/\/api\.sigmacomputing\.com\/api\/v2\/saml2\/assert$ AWS: ^https:\/\/aws-api\.sigmacomputing\.com\/api\/v2\/saml2\/assert$ |
[Step 2] Configure SAML in Sigma
-
Open your Admin Portal by selecting Administration in the user menu at the top right of your screen.
-
Select the Authentication page from the left hand panel.
- Click the Edit button under Authentication Method and Options.
-
Select SAML from the Authentication Method dropdown menu.
-
Enter your Identity Provider login / Single Sign On URL - aka “SAML 2.0 Endpoint (HTTP)”.
You can get this from your IdP. -
Enter your Identity provider X.509 Certificate.
You can get this from your IdP. -
Click Save.
Order of Precedence for User Roles
- A user role configured in your IdP will always take precedence over a role set in Sigma.
- If no user role is declared in your IdP, Sigma will next recognize the user role declared in Sigma.
- If no user role has been declared in either your IdP or Sigma, the user role will be defaulted to Viewer.
What is the default userRole for IdP users?
The default userRole is ‘Viewer’. This means, if one of your organization members signs up for Sigma without you specifying their userRole in your IdP, Sigma will recognize them as a “Viewer”.
This can be helpful, for instance, if a non-sigma user in your organization signs up to view a shared dashboard.
What will happen if a user’s role is declared in my IdP, but I change it in Sigma?
In this scenario, the first rule of precedence will be observed: a user role configured in your IdP will always take precedence over a role set in Sigma.
You can attempt to change the role from Sigma; however, the role will not be translated back to your IdP, and your Sigma display of the user’s role will be reset to their IdP declared role the next time they log in to Sigma.
Related Resources
Manage Authentication
Managing Users and Teams with SCIM
How to Configure SAML 2.0 for [Okta and] Sigma on GCP (Okta documentation)
How to Configure SAML 2.0 for [Okta and] Sigma on AWS (Okta documentation)
Configure [Azure and] Sigma Computing for automatic user provisioning (Azure documentation)
Custom Session Timeouts
OAuth with Snowflake
Single Sign-On with Sigma and Okta (QuickStarts)