Skip to content

Single Sign-On (SSO)

The Satori management console supports SAML-based single sign-on. By using SSO, you can benefit from single user management, a smooth authentication process and simpler user tracking.

Satori SSO support IdP (Identity Provider) initiated flow and SAML 2.0 protocol only. Satori supports different IdP vendors, see below instructions for configuration.

The SSO configuration process requires the following:

  1. Enabling SSO in the Satori management console
  2. Creating a Satori SAML-2.0 application in your identity provider (IdP)
  3. Copying the SAML metadata from your IdP to Satori
  4. Assigning users to the Satori app in your IdP

Configuration

In order to use SSO for your account, go to Settings, Account Settings and enable the feature. This requires Account Admin permissions. The SAML configuration has 2 sections:

  1. Satori URL - provided by Satori and should be copied to your IdP's configuration.
  2. SAML Metadata XML - provided by your IdP and will be used by Satori.

In your IdP, create a new SAML-2.0 application, and configure following fields: - Application URL - copy the Satori URL field from the SSO settings in the management console. - NameID is set to be the user's email address. - firstName and lastName attributes contain the user's first and last names respectively.

Sessions initiated by your IdP will timeout after 12 hours. You can configure the session timeout in the SSO settings in the Satori management console.

User Management

When you enable SSO on your account, existing users will still be able to login using their password, to avoid locking users out of your account. After a first login using SSO, you can disable password access for your existing users from the Settings / User Management page.

Satori will automatically create a user for new users that login via SSO for the first time, with a default role. Account admins can change this role in the User Management page. Password authentication is disabled for new users that use SSO to login for the first time.

IdP provider configuration

Satori supports any SAML-2.0 identity provider. Below are instructions for a few specific ones.

Okta

  1. Create a new Okta application following by Okta instructions with Admin Dashboard.
    • Platform: Web
    • Sign on method: SAML 2.0
  2. Check the Use this for Recipient URL and Destination URL checkbox.
  3. Copy the Satori URL field and paste it to the following:
    • Single sign on URL
    • Audience URI (SP Entity ID)
  4. Configure the following fields:
    • Name ID format: EmailAddress
    • EmailAddress: Email
  5. Define Attribute Statements with
    • firstName: user.firstName
    • lastName: user.lastName
  6. Once created, copy the IdP metadata XML from the Sign on tab of your newly created application to the Satori SSO settings.
  7. Assign Users or Groups and activate the application.

Azure Active Directory

  1. Go to the Enterprise Applications page and create a new application.
  2. In the Azure AD Gallery page, select Create Your Own Application.
  3. Provide a name for your application, for example: Satori and select the Integrate any other application you don't find in the gallery (Non-gallery) option. Click Create.
  4. Navigate to the Single Sign On page and select Edit in Basic SAML Configuration.
  5. Copy the Satori URL field and paste it to the following:
    • Identifier (Entity ID)
    • Reply URL (Assertion Consumer Service URL)
  6. Select Edit in the User Attributes & Claims, and add the following claims:
  7. firstName: user.givenname
  8. lastName: user.surname
  9. Download the Federation Metadata XML from SAML Signing Certificate and copy its contents to the Satori SSO settings page.
  10. Assign Users or Groups and activate the application.