Single Sign-On (SSO) is a user authentication service that permits a user to use one set of login credentials to access multiple applications. The service (identity provider) authenticates the end user for all the applications they have been given rights to and eliminates further prompts when they switch applications during the same session. SAML (Security Assertion Markup Language) is an open standard that allows identity providers (IdP) to pass authorization credentials to service providers (SP).
This guide is intended for Dcipher Analytic Enterprise customers who wish to configure SAML-based SSO for Dcipher Analytics. By integrating Dcipher Analytics with your IdP, you can streamline your team's access and enhance security.
1. How SAML SSO Works
SAML SSO works by transferring the user’s identity from one place (the identity provider) to another (the service provider). This is done through an exchange of digitally signed XML documents. Consider the following:
- Identity Provider (IdP): A system that creates, maintains, and manages identity information for principals and provides principal authentication to other service providers within a federation, such as Microsoft Entra ID, Google Workspace, etc.
- Service Provider (SP): An entity that provides services, such as Dcipher Analytics, to the principals.
A typical SAML SSO flow is as follows:
1. The user attempts to access a resource on the SP (Dcipher Analytics).
2. The SP generates a SAML request and redirects the user to the IdP.
3. The IdP authenticates the user and generates a SAML response.
4. The user is redirected back to the SP with the SAML response.
5. The SP verifies the SAML response and grants access to the user.
2. What Happens After Enabling SSO?
When initially setting up SSO, existing users can continue using Dcipher Analytics. However, subsequent logouts, session expirations, or attempts to log in from new devices will require them to sign in via SSO.
After enabling SSO, users will access Dcipher Analytics through your IdP. The authentication process is handled by your IdP, and upon successful authentication, users are automatically redirected to the Dcipher Analytics platform. The traditional password-based login option will be disabled for users with your company domain within your organization. Users accessing Dcipher Analytics from non-company linked domains are not required to log in with SSO, and should instead log in using the standard login method.
User data, such as first and last names, is automatically assigned in Dcipher Analytics by your identity provider upon successful login.
3. Configuring SSO
You can use any SAML 2.0 compliant IdP with Dcipher Analytics. Some of the most common IdPs include Microsoft Entra ID, Google Workspace SSO, Okta, and OneLogin.
The exact steps to configure your IdP will depend on the IdP you use. However, the general process involves:
1. Creating a new SAML application.
2. Setting Dcipher Analytics as the service provider.
3. Configuring the SAML settings (Assertion Consumer Service URL, Entity ID, etc.).
4. Providing the SAML Sign-in URL and X.509 Certificate.
Service Provider Specs
Protocol | SAML 2.0 |
Assertion Consumer Service URL Also known as Allowed Callback URL, Custom ACS URL, Reply URL | |
Entity ID Also known as Identifier, Relying Party Trust Identifier | |
Start URL | Blank. Not needed for SP-initiated authentication flows. |
Default Relay State | Must be left blank. |
Signing requirement | Assertion must be signed. Signing SAML response is optional. |
Single Sign-out / Logout | Not supported. |
Required user attributes in SAML Response
NameID (=user's email address) Also known as SAML_Subject, Primary Key, Logon Name, Application username format, etc. | "nameID" or "Email" or "email". |
First Name | "FirstName" or "firstName" or "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" |
Last Name | "LastName" or "lastName" or "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" |
4. How to Enable SSO in Your Dcipher Settings
1. Log in to your Dcipher Analytics account with an administrator role.
2. Navigate to the My account.
3. Select SSO from Security section.
4. Click on Enable switch.
4. Enter the SAML Sign-in URL provided by your IdP.
5. Copy-paste the X.509 Certificate from your IdP.
6. Save the configuration and enable SSO.
5. Renewing Your SSO/SAML Certificate
Certificates have an expiration date, and it's essential to update the certificate in your Dcipher Analytics settings before it expires to avoid service disruption. To renew your certificate:
1. Obtain a new X.509 certificate from your IdP.
2. Repeat the steps in Section 4 to upload the new X.509 certificate.
6. Just In-Time Provisioning for New Users
Just In-Time (JIT) Provisioning allows for the creation of user accounts in Dcipher Analytics upon successful authentication by the IdP. This means users from your verified domain do not need to be pre-created in Dcipher Analytics; they are automatically added to your organization's team the first time they log in via SSO.
7. Support
If you encounter any issues or have questions during the setup process, our support team is here to help. Please contact dev@dcipheranalytics.com.