Overview

SKYSITE supports Single Sign-On (SSO), a process that allows users to authenticate themselves against an external Identity Provider (IDP) rather than using the internal SKYSITE username and password.

 

The benefit of this workflow is that companies only need manage a single user database. Connected applications provide users access based on this single database, which means that when an employee joins or departs the company, their access is automatically enabled/disabled for all connected systems.

 

To accomplish this, SKYSITE - a Service Provider (SP), communicates using an industry standard protocol, (SAML 2.0 - Secure Assertion Markup Language) with an Identity Provider (IDP) to validate user credentials and provide access to SKYSITE. 


The basic workflow is as follows:

  • A user navigates to SKYSITE
  • User enters their Username
  • SKYSITE detects that the account is setup for SSO and redirects the user to the IDP. 
  • The user enters their credentials with the IDP.
  • The IDP validates the user, then redirects the user back to SKYSITE, providing the user’s information and groups to SKYSITE
  • SKYSITE, using the information provided by the IDP, logs the user into their account and sets permissions as defined for the user’s group

 

Configuration

Both SKYSITE and the Identity Provider need to be properly configured for Single Sign-On.


Steps to Configure the Identity Provider (IDP)

To configure the Identity Provider for use with SKYSITE, you will need to enter some information into the IDP and extract some information for SKYSITE.


  1. Note the Sign-In URL that is provided by the IDP
  2. Note the Sign-Out URL that is provided by the IDP 
  3. Download a copy of the X.509 Certificate from the IDP
  4. Enter the following URL into the IDP field called SAML Post URL
    https://app.skysite.com/Account/LoginViaSSO
  5. Provide the assertion attributes (Case sensitive) in the IDP
    • Firstname: FirstName
    • Lastname: LastName
    • Email : Email
    • Group: group_name
      Note: These mappings are case sensitive and must be entered exactly.
      Please send a SAML response to us so that we can verify the attributes mapping.
      SAML response must be Base64 encoded
  6. Download the IDP Metadata file and send this to us, along with the SAML response above.


Steps to Configure SKYSITE (Service Provider - SP)

You may configure SKYSITE in either module (Projects or Facilities & Archive), though when setting permissions in Facilities & Archive, there are a few additional steps.


Enabling SSO in SKYSITE Facilities & Archive

  1. Sign in to SKYSITE using the administrator account
  2. Navigate to Settings > Account Settings > Sign intab
  3. Click on Single sign on (SSO)
    Continue with Step 4 below …


Enabling SSO in SKYSITE Projects

  1. Sign in to SKYSITE using the administrator account
  2. Click on the Profile image > Settings > Settings tab
  3. Select Single sign on (SSO)from drop down list for Sign in method
    Continue with Step 4 below…


Enabling SSO in both Projects and Facilities & Archive

  1. Upload the IDP Metadata to SKYSITE
  2. Verify / select the attribute mappings in SKYSITE
  3. Enter the Identity Provider sign in URL
  4. Enter the Identity Provider sign out URL
  5. Upload a copy of the X.509 security certificate
  6. Save your settings


Setting up Groups

SKYSITE access is enabled through Groups in both SKYSITE Projects and SKYSITE Facilities & Archive. 

Group names are CASE SENSITIVE and must EXACTLY match the groups used in the Identity Provider (IDP).


To setup Groups in SKYSITE, add them one at a time, using the provided field.


Once created, Groups will display in the Contacts listing for both Projects and SKYSITE Facilities & Archive.


Permissions in SKYSITE Facilities & Archive

For SKYSITE Facilities & Archive, permissions are assigned based on Account Teams. As with Groups above, an Account Team must exist that exactly matches the Groups provided by the Identity Provider. 


Note: when creating groups using the tool above, an Account Team is automatically created in Facilities & Archive.


You can then add Account Teams to Collections during Collection creation. 


If Collections already exist, you may associate them to the appropriate collections using the Account Teams settings menu.