Single sign-on

Overview

In addition to logging in with a user name and a password, it is also possible to log in via Single Sign-On (SSO).

If the property Enable Single Sign-On for a user is enabled, the user can log in via SSO. The property can be found in the lower part of the User settings dialog:

Note: Please be aware that the SSO feature is only intended for authentication purposes. Managing the permissions of SSO users still has to be done within the NG user interface.

Location

Identity providers (IdPs) for SSO users can be created and configured on the Single Sign-On settings tab of the System information page:

Configuring Single Sign-On in NG

Please be aware that clicking the checkmark (see screenshot below) will write your changes to FactFinder-NG configuration immediately:

Adding new record to the table requires following attributes:

  • Provider key - custom unique provider identifier (important: this key is used in the redirect URI)

  • Display name - name displayed on login page

  • Issuer URL - URL of the provider endpoint

  • Client ID - ID as configured at the provider

  • Client secret - Secret as configured at the provider

Configuring NG in your Identity Provider

To complete the SSO setup, you must also configure NG as an application in your identity provider. This typically involves the following steps:

  1. Register a new application in your identity provider's management console

  2. Configure the application type as "Web application" or similar

  3. Set the redirect URI where the identity provider will send the authentication response

  4. Generate client credentials (Client ID and Client Secret) to be used in the NG configuration

Redirect URI Configuration

The redirect URI is a critical component that must be configured correctly in your identity provider. This URI tells the identity provider where to send the user after authentication.

For NG, the redirect URI is the root URL of the UI, appended with the query parameter idp=<providerKey>:

https://{your-ng-domain}/fact-finder-ui/?idp={provider-key}

Where:

  • {your-ng-domain} is the domain where your NG instance is hosted

  • {provider-key} is the exact same value you entered in the Provider key field in the NG configuration

IMPORTANT: The provider key in the redirect URI must exactly match the provider key configured in NG. If these values don't match, the authentication flow will fail.

Identity Provider Requirements

When configuring your identity provider to work with NG, ensure it meets the following requirements:

  • The provider must be able to answer "OIDC Discovery" requests.

  • The provider must be able to answer requests with the scopes openid, profile and offline_access.

  • The OIDC claim which is parsed for the sake of user identification is called preferred_username and must be present in the identity tokens or access tokens returned by the IdP.

  • Other required claims which have to be present in identity/access tokens are: sub, iss, iat, exp

  • Tokens must be signed, and the signature must be verifiable with the corresponding public key which is returned by the JWKS endpoint of the IdP.

Logging in with SSO

The display name of a configured identity provider will be shown on the login page. In our example: to log in via the IdP with the display name Microsoft click on LOG IN VIA MICROSOFT:

Each configured IdP will display a log-in button on the login page.

Logging in with credentials

If you want to log in with a username and a password, click instead "Log in with credentials". This will bring you to this screen:

Troubleshooting SSO Configuration

If you encounter issues with SSO login, check the following:

  1. Verify the redirect URI - Ensure the provider key in the redirect URI exactly matches the provider key in NG

  2. Check client credentials - Verify that the Client ID and Client Secret are correctly entered in NG

  3. Confirm issuer URL - Make sure the Issuer URL is correct and accessible from the NG server

  4. Review identity provider logs - Check your identity provider's logs for authentication errors

  5. Contact the FactFinder support - Some issues might require us to analyze the NG logs. Please reach out to the service desk if the steps above didn't resolve the issue

Limitations

Please be aware that SSO users can neither edit nor create non-SSO users. This is forbidden on purpose. This way it is ensured that users who are no longer employees of the company (and are off-boarded at IdP side) don't keep access to NG and cannot find another way to decouple their accounts from the SSO.

For the same reason, we don't intend to support converting an SSO user back into a non-SSO user.

We recommend keeping at least one non-SSO admin account with credentials for emergency access, just in case an IdP is not available. Choose a username which is not present at IdP side to make sure that this account is never connected to SSO.

The same applies to the account which is required to perform searches in the context of FactFinder integration.

Additionally, we ensure that a user cannot login via multiple identity providers.

PreviousManaging Group PermissionsNextSystem information

Last updated

Was this helpful?