Integrate Single Sign-On (SSO) Access to Aternity

For complete control of access to Aternity, configure SSO access in the Integration Settings page. Single Sign-On (SSO) brings the most secure access to Aternity by bypassing Aternity's sign in screen, and authenticating with your enterprise's chosen identity provider (IdP) just once using passwords, two-factor authentication (2FA), or even biometrics. Every time you access Aternity as an SSO user, it automatically reroutes you securely to the IdP, and then after authentication, it routes you back to your Aternity home page as a signed in user. SSO uses the secure SAML 2.0 protocol to delegate the entire authentication process to the IdP.

When setting up SSO access with Aternity, you define a custom subdomain to add to Aternity's web address to access the product.

For example, an SSO user would access Aternity by entering https://sso.aternity.mycompany.com, where the subdomain usually indicates this is the SSO access point, or another name containing alphanumeric characters. This reroutes the user to the IdP for authentication, and then back to Aternity with your privileges.

Access your Aternity homepage using SSO

To access Aternity with SSO, configure your IdP to accept authentication requests from Aternity. We support one or both of the following access methods:

  • Enter a customized Aternity URL (https://sso.aternity.mycompany.com), to automatically redirect to the IdP for sign in, and then return to Aternity as a signed in user (known as SP-redirect via SP-initiated SSO).

  • Users who already signed in to the IdP can select Aternity from the IdP portal, which redirects them to Aternity as a signed in user (POST bindings).

If you need to re-authenticate while using Aternity, for example, if you have been inactive for too long, Aternity offers you to sign in again via the IdP, and then returns you to the page you accessed last.

Before you begin

To use SSO with Aternity, you have to use an identity provider (IdP) which:

  • Supports SAML 2.0.

  • Sends the username or user's email address to Aternity as the main identifier of the user.

    Important

    This must match the Aternity username, after completing the authentication process.

If you are using Microsoft's Active Directory Federation Services (AD FS) as your IdP, complete the prerequisites in Configure Single Sign-On (SSO) to use your Active Directory (ADFS) as your Identity Provider

Procedure

  1. Step 1 Open a browser and sign in to Aternity.
  2. Step 2 View Aternity's integration with other enterprise systems by selecting the Gear Icon > Integration Settings.

    Enable SSO by toggling the switch to SAML 2.0 Settings for Single Sign On > ON.

    Integrate Aternity with other enterprise systems
    Field Description
    Subdomain

    Enter a custom subdomain to add to Aternity's web address to access the product, like https://sso.aternity.mycompany.com, where the subdomain usually indicates this is the SSO access point, or another name containing alphanumeric characters only.

    SP Entity ID

    Displays the customized URL to access Aternity via SSO, like https://sso.aternity.mycompany.com.

    SP Consumer URL

    Displays the URL where users are redirected after successful authentication (also known as the ACS or Assertion Consumer Service).

    Sign AuthnRequest

    If you are using AD FS as your IdP, toggle this field to OFF.

  3. Step 3 Send the two SSO URLs, SP Identity ID and Consumer URL to your IdP's settings.
    Tip

    If you use Active DIrectory as your IdP, enter these URLs in AD FS. Learn more.

  4. Step 4 Ask for XML metadata from your IdP, and paste it in IdP Metadata.

    It may also contain the certificate of your IdP.

    Tip

    If you use Active DIrectory as your IdP, find the metadata from this link: https://<ADFS_hostname>/FederationMetadata/2007-06/FederationMetadata.xml. For example, if the server hostname is srv1.emea.mycompany.com, the link would be https://srv1.emea.mycompany.com/FederationMetadata/2007-06/FederationMetadata.xml.

    Example of the IdP XML metadata you must provide
  5. Step 5 You can define the roles of each SSO user by adding an SSO user.
    Tip

    If these users already exist as local users, you can switch them to SAML users.

    Add a user to Aternity
  6. Step 6 You can define a group of SSO users who all have the same Aternity privileges if they have a specific property and value defined in the IdP.

    Learn more.

    Add an SSO group to Aternity
  7. Step 7 As an SSO user, access Aternity.

    Enter the SSO address, https://sso.aternity.mycompany.com, where the subdomain usually indicates this is the SSO access point

    Access your Aternity homepage using SSO
  8. Step 8 To send a REST API query in Excel, PowerBI or a browser, enter the URL of the REST API, your Aternity username (must have the OData REST API role) and its password. You can find this by selecting User icon > REST API Access. SSO users must generate (once) and use a special password, as Aternity's REST API does not authenticate with your enterprise's identity provider. For LDAP users, enter the domain name, then a backslash ('\'), then your network username and password. For example domain_name\jsmith

    Learn more.

    Access data using the OData interface by sending a URL and receiving data in XML or JSON formats