Single Sign On with SAML

As a Sigma Admin, you can configure your organization to use Single Sign On (SSO) Authentication with any platform that supports SAML (ie Okta, OneLogin and Google SSO). You may also choose to configure Sigma to your own custom implementation that uses SAML.‍

Summary of Content

Requirements
Understanding SSO and SAML
      What is SAML?
      SP vs IdP Initiated Authentication
Configuring SSO for your Sigma Organization
      [Step 1] Configure your Identity Provider
      [Step 2] Configure SAML in Sigma
Order of Precedence for User Roles
      What is the default userRole for IdP users?
      What will happen if a user’s role is declared in my IdP, but I change it in Sigma?
Related Resources

Requirements

Understanding SSO and SAML

What is SAML?

SAML, short for “Security Assertion Markup Language”, is a widely used security protocol. It provides secure authentication and authorization between a service provider (SP) and an identity provider (IdP).

A service provider is the web application that you would like to gain access to. In this case, it’s Sigma!

An identity provider is a software service that performs authentication related services (Oauth, account status verification, account attribute declaration). Examples of IdPs include Okta, OneLogin, and Google SSO.

SP vs IdP Initiated Authentication

Sigma supports the configuration of both SP-initiated and IdP-initiated authentication. This means your organization members can choose to login to Sigma from either your IdP console or your Sigma login page.

Configuring SP-initiated authentication is optional. If you would like to enable this option, you will need to provide your IdP with a “RelayState / Start URL”.

Configuring SSO for your Sigma Organization

Connecting your organization to an IdP is a multi-stage process that involves SAML configuration in both the IdP and Sigma.

[Step 1] Configure your Identity Provider

Confirm your Sigma Cloud Service Provider

Sigma supports running on both AWS and GCP. Your organization's cloud will impact IdP configuration. Before you get started, please confirm your organization's Cloud service on your Admin Portal's Account page, under the Site heading.

Screen_Shot_2020-10-28_at_5.29.39_PM.png

Select and Configure your IdP

If your company uses Okta, OneLogin or Google SSO, you will have an option to use a  pre-configured application to set up SSO access to Sigma. Please visit your IdP to learn how to use this application. Instructions can be found by searching for ‘Sigma Computing’ in your IdP’s marketplace.

If your company uses a different IdP, follow that IdP's instructions for setting up a SAML application and make sure the following fields are set.

Note: If specified in the table below, select the value specific to your cloud.

Field

Value 

Audience URI

GCP: https://api.sigmacomputing.com/api/v2/saml2/2/metadata.xml

AWS: https://aws-api.sigmacomputing.com/api/v2/saml2/2/metadata.xml 

Assertion consumer service URL / Consumer URL / Login URL / Single sign on URL

GCP: https://api.sigmacomputing.com/api/v2/saml2/assert

AWS: https://aws-api.sigmacomputing.com/api/v2/saml2/assert 

NameID format

email (“urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress”)

Attributes

 

“fullName” or  “firstName”, “lastName”

"userRole"

The userRole attribute can be set to "admin", "creator", "explorer" or "viewer".
If left unset, "viewer" will be selected by default, and you will have the option to set a user's role directly within Sigma. Any role later set for Sigma from your IdP will override the user's Sigma-set role the next time the user logs in with SSO.

Learn more about userRole order of 
precedence.
Learn about user roles.

Note: "Creator" used to be called "Author". Both terms are still acceptable. 


RelayState / Start URL


https://app.sigmacomputing.com/<YOUR-ORG>/finish-login
* Replace <YOUR-ORG> with your login url.

Validator

GCP: ^https:\/\/api\.sigmacomputing\.com\/api\/v2\/saml2\/assert$

AWS: ^https:\/\/aws-api\.sigmacomputing\.com\/api\/v2\/saml2\/assert$

 

[Step 2] Configure SAML in Sigma

  1. Open your Admin Portal by selecting Administration in the user menu at the top right of your screen.
  2. Select the Authentication page from the left hand panel.
    Screen_Shot_2020-10-28_at_5.29.29_PM.png
  3. Click the Edit button under Authentication Method and Options.
  4. Select SAML from the Authentication Method dropdown menu.
    Screen_Shot_2020-05-13_at_1.44.52_PM.png
  5. Enter your Identity Provider login / Single Sign On URL - aka “SAML 2.0 Endpoint (HTTP)”.
    You can get this from your IdP.
  6. Enter your Identity provider X.509 Certificate.
    You can get this from your IdP.
  7. Click Save.

Order of Precedence for User Roles

  1. A user role configured in your IdP will always take precedence over a role set in Sigma.
  2. If no user role is declared in your IdP, Sigma will next recognize the user role declared in Sigma.
  3. If no user role has been declared in either your IdP or Sigma, the user role will be defaulted to Viewer.

What is the default userRole for IdP users?

The default userRole is ‘Viewer’. This means, if one of your organization members signs up for Sigma without you specifying their userRole in your IdP, Sigma will recognize them as a “Viewer”.

This can be helpful, for instance, if a non-sigma user in your organization signs up to view a shared dashboard.

What will happen if a user’s role is declared in my IdP, but I change it in Sigma?

In this scenario, the first rule of precedence will be observed: a user role configured in your IdP will always take precedence over a role set in Sigma.

You can attempt to change the role from Sigma; however, the role will not be translated back to your IdP, and your Sigma display of the user’s role will be reset to their IdP declared role the next time they log in to Sigma. 

Related Resources

Manage Authentication
Managing Users and Teams with SCIM
How to Configure SAML 2.0 for [Okta and] Sigma on GCP (Okta documentation)
How to Configure SAML 2.0 for [Okta and] Sigma on AWS (Okta documentation)
Configure [Azure and] Sigma Computing for automatic user provisioning (Azure documentation)
Custom Session Timeouts
OAuth with Snowflake