Overview

SKYSITE supports Single Sign-On (SSO), a process that allows users to authenticate themselves against an external Identity Provider (IDP) rather than using the internal SKYSITE username and password.

 

The benefit of this workflow is that companies only need manage a single user database. Connected applications provide users access based on this single database, which means that when an employee joins or departs the company, their access is automatically enabled/disabled for all connected systems.

 

To accomplish this, SKYSITE - a Service Provider (SP), communicates using an industry standard protocol, (SAML 2.0 - Secure Assertion Markup Language) with an Identity Provider (IDP) to validate user credentials and provide access to SKYSITE. 


The basic workflow is as follows:

  • A user navigates to SKYSITE
  • User enters their Username
  • SKYSITE detects that the account is setup for SSO and redirects the user to the IDP. 
  • The user enters their credentials with the IDP.
  • The IDP validates the user, then redirects the user back to SKYSITE, providing the user’s information and groups to SKYSITE
  • SKYSITE, using the information provided by the IDP, logs the user into their account and sets permissions as defined for the user’s group

 

Configuration

Both SKYSITE and the Identity Provider need to be properly configured for Single Sign-On.


Steps to Configure the Identity Provider (IDP)

To configure the Identity Provider for use with SKYSITE, you will need to enter some information into the IDP and extract some information for SKYSITE.


  1. Note the Sign-In URL that is provided by the IDP
  2. Note the Sign-Out URL that is provided by the IDP 
  3. Download a copy of the X.509 Certificate from the IDP
  4. Enter the following URL into the IDP field called SAML Post URL
    https://app.skysite.com/Account/LoginViaSSO
  5. Provide the assertion attributes (Case sensitive) in the IDP
    • Firstname: FirstName
    • Lastname: LastName
    • Email : Email
    • Group: group_name
      Note: These mappings are case sensitive and must be entered exactly.
      Please send a SAML response to us so that we can verify the attributes mapping.
      SAML response must be Base64 encoded
  6. Download the IDP Metadata file and send this to us, along with the SAML response above.


Steps to Configure SKYSITE (Service Provider - SP) by Admin user

You may configure SKYSITE in either module (Projects or Archives), though when setting permissions in Archive, there are a few additional steps. 

The admin user will first have to create a new standard account in SKYSITE then sign in to SKYSITE as a standard user. After signing in the admin user will proceed to create the SSO user group & enable as well as configure the SSO settings.


Enabling SSO in SKYSITE Archives

  1. Sign in to SKYSITE using the administrator account
  2. Navigate to Settings > Account Settings > Sign in tab
  3. Click on Single sign on (SSO)
    Continue with Step 4 below …


Enabling SSO in SKYSITE Projects

  1. Sign in to SKYSITE using the administrator account
  2. Click on the Profile image > Settings > Settings tab
  3. Select Single sign on (SSO)from drop down list for Sign in method
    Continue with Step 4 below…


Enabling SSO in both Projects and Archives

  1. Upload the IDP Metadata to SKYSITE
  2. Enter the Domain name (user's company domain name)
  3. Verify / select the attribute mappings in SKYSITE
  4. Enter the Identity Provider sign in URL
  5. Enter the Identity Provider sign out URL
  6. Upload a copy of the X.509 security certificate
  7. Save your settings


Setting up Groups

SKYSITE access is enabled through Groups in both SKYSITE Projects and SKYSITE Archives. 

Group names are CASE SENSITIVE and must EXACTLY match the groups used in the Identity Provider (IDP).


To setup Groups in SKYSITE, add them one at a time, using the provided field.


Once created, Groups will display in the Contacts listing for both Projects and SKYSITE Archives.


Permissions in SKYSITE Archives

For SKYSITE Archives, permissions are assigned based on Account Teams. As with Groups above, an Account Team must exist that exactly matches the Groups provided by the Identity Provider. 


Note: when creating groups using the tool above, an Account Team is automatically created in Archives.


You can then add Account Teams to Collections during Collection creation. 


If Collections already exist, you may associate them to the appropriate collections using the Account Teams settings menu.

Signing in to SKYSITE through SSO login (by employee user)

An employee user of the client company can access SKYSITE either through the SSO login screen after the admin user performs all the configurations necessary to implement SSO login through SKYSITE.

When an employee user accesses SKYSITE for the first time the following workflow will occur:

  1. Go to SKYSITE Sign In screen

  1. Click on “Sign in with SSO” link

  1. Provide the email ID and click on the [Next] button.

User is redirected to the IDP provider’s login screen (example of 'Okta' is shown in the screenshot below),

4. Enter the username and password and click on the [Sign in] button.


After authentication, the IDP returns the SP URL (SKYSITE URL) which is already configured with the IDP. SKYSITE validates the response and  creates the user account (if it does not exist) and navigates the user inside the SKYSITE Home screen.