With geopolitical tensions and ransomware attacks on the rise, good security is mandatory for any production facility. This is why we have made our Single Sign-On feature part of all AlisQI license plans. This means SSO is available free of charge for all customers. In this article we talk about the advantages of SSO, provide an overview of SSO integration and the steps required to enable this feature in AlisQI.
SSO – a quick introduction
Single Sign-On (SSO) is a feature that lets applications delegate user authentication to an external trusted system. This process is also known as ‘federation’. More specifically, this allows our customers to manage user accounts in a central user directory (e.g. Microsoft Active Directory) instead of requiring users to create new, independent accounts in AlisQI.
Single Sign-On has multiple advantages:
- Since AlisQI does not need to store passwords, there is no risk of these leaking
- Users need not remember an additional password (or reuse a password)
- Users only need to log in once (to the centralized system) and can access different applications without re-entering a password, which saves them time
- IT departments only need to modify one central account to revoke access
SSO integration overview
Integration – To integrate AlisQI with the central user directory, AlisQI supports SAML 2.0, a standardized protocol. In SAML, the user directory, whose role is that of Identity Provider (IdP), is responsible for managing user accounts. AlisQI assumes the role of Service Provider (SP). To establish trust between the IdP and the SP, SAML 2.0 metadata needs to be exchanged and configured on both ends. The customers that currently use SSO in AlisQI were able to set up AlisQI as an SP in Microsoft ADFS within minutes in this way.
User flow – When a user wishes to use AlisQI (the SP), they get redirected to the user directory (IdP). If the user is already logged in, they will be immediately forwarded back to AlisQI and will not even notice anything. The log in will have been seamless and taken only one click. If the user was not yet logged in to the IdP, they will be greeted with the familiar login page of the user directory. After they enter their credentials, they will be redirected to AlisQI, where they will be logged in.
User management in AlisQI – User accounts have to be created within AlisQI by an administrator before they can be used. The IdP will provide the user’s email address, which will be used by AlisQI to find the proper account. Therefore, it’s essential that the addresses stored in AlisQI are identical to those in the IdP. If a user is redirected from the IdP with an address that is not known in AlisQI, they will be shown a screen that tells them no account could be found and a list of users with administrator privileges who can set up an AlisQI account for them. Accounts cannot be automatically created because AlisQI doesn’t know which user group to use for new accounts. The AlisQI import functionality can be used to mass upload account details from Excel.
SSO part of the AlisQI license plans
Keeping your production data safe is a key concern for many manufacturers. To help our customer protect themselves, and in the spirit of the holiday season, we have made the Single Sign On (SSO) feature a part of all AlisQI license plans. This means SSO is available free of charge for all customers. We recommend customers review their security configuration and consider enabling SSO on their accounts.
3 steps required to enable SSO in AlisQI
There are a couple of steps that need to be taken to enable SSO. Fortunately, many of these can be done in parallel.
- The AlisQI administrator(s) will make sure that every existing AlisQI account has an email address that exactly matches the one in the user directory
- The IdP administrator sends us their SAML 2.0 IdP metadata, which we configure in our SP.
- We send AlisQI’ SAML 2.0 SP metadata, which the IdP administrator configures. The trust on the IdP’s end must be configured to send a user’s email address as a claim type called ‘NameID’.