Sisense SSO Azure
I am have trouble with Sisense and Azure SSO I am setting up a SAML2.0 configuration I have the remote URL login/logout and public x.509 cert filled out. When I turn SSO on I get this error immediately when trying to login.
Sign in to your account
Based on this article I found an error in C:\Program Files\Sisense\PrismWeb\vnext\iisnod\index.html
3.36 [2018/04/10 14:08:48.750] [6468],[ERROR] [activities-dal]: [Cannot load thrift tls certificate by path: C:\Program Files\Sisense\PrismWeb\vnext\src\features\live-connectors\v1\tls\certificate.pfx] (node:6468) Warning: Possible EventEmitter memory leak detected. 11 uncaughtException listeners added. Use emitter.setMaxListeners() to increase limit 5.599 [2018/04/10 14:08:50.989] [6468],[ERROR] [logstash-activity-reporter]: [unable to parse file - narration, error - SyntaxError: Invalid or unexpected token] 5.655 [2018/04/10 14:08:51.044] [6468],[ERROR] [logstash-activity-reporter]: [unable to parse file - narration, error - SyntaxError: Invalid or unexpected token] 5.733 [2018/04/10 14:08:51.123] [6468],[ERROR] [logstash-activity-reporter]: [unable to parse file - groups, error - SyntaxError: Invalid or unexpected token] 5.82 [2018/04/10 14:08:51.210] [6468],[ERROR] [logstash-activity-reporter]: [unable to parse file - narration, error - SyntaxError: Invalid or unexpected token] (node:6468) Warning: Possible EventEmitter memory leak detected. 11 logged listeners added. Use emitter.setMaxListeners() to increase limit (node:6468) Warning: Possible EventEmitter memory leak detected. 11 error listeners added. Use emitter.setMaxListeners() to increase limit 6.833 [2018/04/10 14:08:52.223] [6468],[ERROR] [logstash-activity-reporter]: [unable to parse file - narration, error - SyntaxError: Invalid or unexpected token] 6.875 [2018/04/10 14:08:52.265] [6468],[ERROR] [logstash-activity-reporter]: [unable to parse file - narration, error - SyntaxError: Invalid or unexpected token] 6.928 [2018/04/10 14:08:52.318] [6468],[ERROR] [logstash-activity-reporter]: [unable to parse file - groups, error - SyntaxError: Invalid or unexpected token] 6.989 [2018/04/10 14:08:52.379] [6468],[ERROR] [logstash-activity-reporter]: [unable to parse file - narration, error - SyntaxError: Invalid or unexpected token] 7.78 [2018/04/10 14:08:53.170] [6468],[ERROR] [logstash-activity-reporter]: [unable to parse file - narration, error - SyntaxError: Invalid or unexpected token] 7.818 [2018/04/10 14:08:53.208] [6468],[ERROR] [logstash-activity-reporter]: [unable to parse file - narration, error - SyntaxError: Invalid or unexpected token] 7.862 [2018/04/10 14:08:53.251] [6468],[ERROR] [logstash-activity-reporter]: [unable to parse file - groups, error - SyntaxError: Invalid or unexpected token] 7.912 [2018/04/10 14:08:53.301] [6468],[ERROR] [logstash-activity-reporter]: [unable to parse file - narration, error - SyntaxError: Invalid or unexpected token]
I believe that Azure ADFS needs the Identifier and Reply Url of Sisense but I cannot find that in the documentation. Other applications have provided these urls
-
We finally got it working so here is what our documentation is:
Prerequistes:
- cert for the url
- url with bindings to https (we use 443)
Azure ADFS New App Registration
Provide to networking team:
Identifier: https://<sisense domain>.[com | org]/
Reply URL: https://<sisense domain>.[com | org]/api/v1/authentication/login_saml_callbackWe need to use the ADFS handler for sisense: https://support.sisense.com/hc/en-us/articles/360000533993-Setting-Up-SSO-SAML-2-0-With-ADFS
Specific download link: https://support.sisense.com/hc/article_attachments/360000573653/ADFSHandler_up_6.7.zipCopy files to machine, specific location: C:\Program Files\Sisense\PrismWeb\ in new folder ADFSHandler
We now need to edit ADFSProxy.ashx open notepad as admin:
1. change the DestinationADFSUrl to the url provided by Azure ADFS
Azure ADFS calls it
SAML Single Sign-On Service URL: https://login.microsoftonline.com/<domain guid blah>/saml22. We had this issue where it appeared that Azure ADFS was sending a saml 1.1 so towards the bottom you will need to change the comparison to "exact". If exact also fails change back to default:
xw.WriteStartElement("samlp", "RequestedAuthnContext", SAML_NS_PROTOCOL);
xw.WriteAttributeString("Comparison", "exact"); //exact for ADFS we need to replace it to the minimum, so ADFS will be able to login user via different flow (windows,kerberos etc)
3. you will need to install the cert provided from Azure ADFS on the machine
4. In Sisense your login should look like this:
Hope this helps!
-
If anyone comes across this for Azure AD SSO, you can get it working by doing the following:
- Set your identifier in the Enterprise Application's SSO configuration to 'Sisense'
- Open C:\Program Files\Sisense\PrismWeb\vnext\src\common\middlewares\samlAuthentication.middleware.js
- Change this line:
identifierFormat: 'urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress'
to
identifierFormat: 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified,
Then, do an iisreset and restart the Sisense.Prism service.
I have a case opened and I hope to get this resolved in a future release. I am currently running 7.1.3 and tested the above today with success. However, it's a use at your own risk modification and I just needed it for a proof of concept.
-
For anyone having this issue in 7.4, I was able to fix it by editing the same file that @unite admin changed but the location has changed, and the identifier format I used is different.
C:\Program Files\Sisense\app\gateway-service\src\middlewares\samlAuthentication.middleware
for the identifier format, use 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'
Please sign in to leave a comment.
Comments
5 comments