English (US) Français 日本語
Contact support Sign in
English (US) Français 日本語
  1. Piano Support
  2. Products
  3. Piano Analytics user interface
  4. Access & security management
See all articles

Single-Sign-On (SSO)

Ariane Hervier
  • Updated

Description

Single-Sign-On login is a password-less way to authenticate to Piano Analytics.
The user only has to be logged in to his corporate portal to log in to Piano Analytics.

 

Main principles

Apply your password policy

The only required password is the one on your corporate portal, which can be set to match your IT teams requirements.

Note
Turning a standard user into an SSO user will delete his Piano Analytics password.

Control users' access

Since authentication is based on your corporate portal access, you can cut the access to our solutions and many others, by deleting the user from your Active Directory.

 

Note
Deleting a user from the Active Directory, does not delete it from our solutions, the user will not be able to log in, but his API Keys will work.
If needed, you can still rely on our API to check the use of API Keys.

 

Rely on secured protocols

The SSO feature is based on SAML 2.0 and OpenID Connect processes, making it compatible with most Identity Providers (IdP).

 

SSO feature is per organization

Any user listed in your organization can be switched to SSO.

 

Standard and SSO users can co-exist

On an SSO organization, you can have SSO users and standard users as well to allow users not listed in your Active Directory to log in to your organization.

 

SSO users can't be multi-organization

An SSO user can only be listed in one organization.

 

 

Important
  • Some partnership integration may require some adaptations, please check if your integration is SSO compatible
  • Users on SSO accounts will no longer be able to trigger API calls based on their former passwords, they will have to update them with API Keys making sure the domain is api.atinternet.io.

 

Activation

To activate the SSO feature, please reach out to support teams with this information:

 

Organisation

Please provide us the name of your organisation to be used in:
- The "Company Label" text field to authenticate with SSO from our dedicated login page.
- The Identity Provider configuration(IdP):

SAML 2.0 OpenID Connect

ATI Authorization URL:
https://sso.atinternet-solutions.com/{organisation}/login

ATI Assertion URL:
https://sso.atinternet-solutions.com/{organisation}/assert

ATI Authorization URL:
https://sso.atinternet-solutions.com/{organisation}/login

ATI Redirect URL:
https://sso.atinternet-solutions.com/{organisation}/callback

 

Configuration

SAML 2.0 OpenID Connect

 Please provide us:
- your login URL
- your X.509 certificate

 

We will then, provide you with a XML metadata file to add to your Identity Provider.

Please provide us:
- your client_id (identifier dedicated to the app and used by AT Internet to login)

- your secret_client (secret provided by your Identity Provider and used by Piano Analytics to login)

- the OpenId Connect configuration URL given by your provider under this format:
https://{oauth-provider-hostname}/.well-known/openid-configuration

 

Logout behaviour

Should the user be redirected to our login page or another page when he logs out? If so which one?

 

User switch

Setup

Do you want to convert all your users from standard to SSO, or only certain users.
If you only want to convert certain users, please specify those users.
Please specify an account to test the SSO configuration on before applying it to all your users.

Once you provided these information to our support team, our tech team will be able to turn on SSO.
Then with the test user requested ealier, our tech team will be able to switch him to a SSO account.
After your behaviour validation, we will switch the specified list of users to SSO accounts.

Mode change

You can change the connection mode of a user at any time from your access rights management interface:

By clicking the SSO toggle on a user's details page: 

Screenshot_1.png


By a CSV import on the Users page:

Screenshot_21.png

Note

Mode switching is not available for users who belong to multiple organizations.

User creation

User form

With the SSO feature enabled, user creation form gets a dedicated tickbox

sso-02.png

 

User identification

User page

If a user is listed as SSO on your organization, the SSO section of the user's page in Access Rights will be displayed.

 

Users export

If you want to see the SSO users among your users list, please click on the Download button above the users table (1), and check the export file.

Screenshot_20.png

 

Authentication

Note

Login can be set from your corporate portal or directly from our login page.

 

Login page

From the login page, click on the bottom right link named Single Sign On, and fill in your CompanyLabel before submitting your login request.

sso-03.png

Note

The CompanyLabel is set in your organization configuration, then share it to your users, and they are good to go (depending on their rights).


API Keys

Since SSO users do not have a password, they need to rely on API Keys to authenticate to external API calls.
Find out more on API Keys.

Articles in this section