Integrate Single Sign-On (SSO) Access to Aternity

Configure SSO access to Aternity in the Integration Settings page. Single Sign-On (SSO) allows you to bypass Aternity's sign in screen, by authenticating just once with your enterprise's chosen identity provider (IdP). Every time you access Aternity, it automatically reroutes you to the IdP, and then after authentication, it automatically routes you back to your Aternity home page as a signed in user. As such, the IdP manages the entire authentication process, which can include two-factor authentication, biometrics, or a simple password, hence Aternity does not store any passwords in the system.

Access your Aternity homepage using SSO

When setting up SSO access with Aternity, you provide a custom subdomain to add to Aternity's web address to access the system, like https://sso.aternity.mycompany.com, where the subdomain usually indicates this is the SSO access point, or another name containing alphanumeric characters only.

To access Aternity with SSO, configure your IdP to accept authentication requests from Aternity. We support one or both of the following access methods:

  • Enter a customized Aternity URL (https://sso.aternity.mycompany.com), to automatically redirect to the IdP for sign in, and then return to Aternity as a signed in user (known as SP-redirect via SP-initiated SSO).

  • Users who already signed in to the IdP can select Aternity from the IdP portal, which redirects them to Aternity as a signed in user (POST bindings).

If you need to re-authenticate while using Aternity, for example, if you have been inactive for too long, the system offers you to sign in again via the IdP, and then returns you to the page you accessed last.

Before you begin

To use SSO with Aternity, you have to use an identity provider (IdP) which:

  • Supports SAML 2.0.

  • Sends the username or user's email address to Aternity as the main identifier of the user.

    Important

    This must match the Aternity username, after completing the authentication process.

If you are using Microsoft's Active Directory Federation Services (AD FS) as your IdP, complete the prerequisites in Configure Single Sign-On (SSO) to use your Active Directory (ADFS) as your Identity Provider

Procedure

  1. Step 1 Open a browser and sign in to Aternity.
  2. Step 2 View Aternity's integration with other enterprise systems by selecting the Gear Icon > Integration Settings.

    Enable SSO by toggling the switch to SAML 2.0 Settings for Single Sign On > ON.

    Integrate Aternity with other enterprise systems
    Field Description
    Subdomain

    Enter a custom subdomain to add to Aternity's web address to access the system, like https://sso.aternity.mycompany.com, where the subdomain usually indicates this is the SSO access point, or another name containing alphanumeric characters only.

    SP Entity ID

    Displays the customized URL to access Aternity via SSO, like https://sso.aternity.mycompany.com.

    SP Consumer URL

    Displays the URL where users are redirected after successful authentication (also known as the ACS or Assertion Consumer Service).

    Sign AuthnRequest

    If you are using AD FS as your IdP, toggle this field to OFF.

  3. Step 3 Send the two SSO URLs, SP Identity ID and Consumer URL to your IdP's settings.
    Tip

    If you use Active DIrectory as your IdP, enter these URLs in AD FS. Learn more.

  4. Step 4 Ask for XML metadata from your IdP, and paste it in IdP Metadata.

    It may also contain the certificate of your IdP.

    Tip

    If you use Active DIrectory as your IdP, find the metadata from this link: https://<ADFS_hostname>/FederationMetadata/2007-06/FederationMetadata.xml. For example, if the server hostname is srv1.emea.mycompany.com, the link would be https://srv1.emea.mycompany.com/FederationMetadata/2007-06/FederationMetadata.xml.

    Example of the IdP XML metadata you must provide
  5. Step 5 Define the privileges of all SSO users by adding them as SAML users inside Aternity by adding an SSO user.
    Tip

    If these users already exist as local users, you can switch them to SAML users.

    Add an SSO user to Aternity
  6. Step 6 As an SSO user, access Aternity.

    Enter the SSO address, like https://sso.aternity.mycompany.com, where the subdomain usually indicates this is the SSO access point

    Access your Aternity homepage using SSO
  7. Step 7 To send a REST API query in Excel, PowerBI or a browser, enter an Aternity username which has the OData Role privilege, and its password. For SSO users, generate your own Aternity REST API password by selecting User icon > REST API Password. For LDAP users, enter the domain name, then a backslash ('\'), then your network username and password. For example domain_name\jsmith

    Learn more.

    Access data using the OData interface by sending a URL and receiving data in XML or JSON formats