Sisense SSO Azure

Comments

5 comments

  • Avatar
    Gregory Short

    Any documentation update on this?  Having some step-by-step instructions would be great to get this working with our Azure AD.

    0
    Comment actions Permalink
  • Avatar
    Jim Thomas (Edited )

    We finally got it working so here is what our documentation is:

    Prerequistes:

    • cert for the url
    • url with bindings to https (we use 443)

    Azure ADFS New App Registration

    Provide to networking team:
    Identifier: https://<sisense domain>.[com | org]/
    Reply URL: https://<sisense domain>.[com | org]/api/v1/authentication/login_saml_callback

    We need to use the ADFS handler for sisense: https://support.sisense.com/hc/en-us/articles/360000533993-Setting-Up-SSO-SAML-2-0-With-ADFS
    Specific download link: https://support.sisense.com/hc/article_attachments/360000573653/ADFSHandler_up_6.7.zip

    Copy files to machine, specific location: C:\Program Files\Sisense\PrismWeb\ in new folder ADFSHandler


    We now need to edit ADFSProxy.ashx open notepad as admin:


    1. change the DestinationADFSUrl to the url provided by Azure ADFS


    Azure ADFS calls it
    SAML Single Sign-On Service URL: https://login.microsoftonline.com/<domain guid blah>/saml2

    2. We had this issue where it appeared that Azure ADFS was sending a saml 1.1 so towards the bottom you will need to change the comparison to "exact". If exact also fails change back to default:

    xw.WriteStartElement("samlp", "RequestedAuthnContext", SAML_NS_PROTOCOL);
    xw.WriteAttributeString("Comparison", "exact"); //exact for ADFS we need to replace it to the minimum, so ADFS will be able to login user via different flow (windows,kerberos etc)

    3. you will need to install the cert provided from Azure ADFS on the machine
    4. In Sisense your login should look like this:


    Hope this helps!

    1
    Comment actions Permalink
  • Avatar
    Unite Admin

    If anyone comes across this for Azure AD SSO, you can get it working by doing the following:

    1. Set your identifier in the Enterprise Application's SSO configuration to 'Sisense'
    2. Open C:\Program Files\Sisense\PrismWeb\vnext\src\common\middlewares\samlAuthentication.middleware.js
    3. Change this line:

    identifierFormat: 'urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress'

    to

    identifierFormat: 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified,

    Then, do an iisreset and restart the Sisense.Prism service.

     

    I have a case opened and I hope to get this resolved in a future release.  I am currently running 7.1.3 and tested the above today with success.  However, it's a use at your own risk modification and I just needed it for a proof of concept.

    1
    Comment actions Permalink
  • Avatar
    Jared Russell

    @Unite Admin - were you ever able to get it fully setup? Was it resolved in a future release? Thanks!

    0
    Comment actions Permalink
  • Avatar
    Brittany Hainsworth

    For anyone having this issue in 7.4, I was able to fix it by editing the same file that @unite admin changed but the location has changed, and the identifier format I used is different.

    C:\Program Files\Sisense\app\gateway-service\src\middlewares\samlAuthentication.middleware

     

    for the identifier format, use 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'

    0
    Comment actions Permalink

Please sign in to leave a comment.