Skip to main content
System StatusContact Support Agility Community

On-Premise Single Sign-On


This feature is available in Ultimate edition only.


The content in this article applies to On-premise Agility instances only. If you are an On-Demand (V1 Hosted) customer, see On-Demand (V1 Hosted) System Maintenance.

SAML-based Single Sign-On is a security configuration option available to on-premises Agility Ultimate customers.  Using SAML, Agility integrates with your SSO environment and defers to your Service Provider and Identity Provider for authentication when anyone attempts to access your Agility instance.  This eliminates the need for separate credentials managed inside Agility. It also gives you better control over authentication, access and more flexibility with password rules for your users.

For additional information about SAML, please refer to the SAML SSO Overview page.

The following diagram illustrates SAML SSO using the Agility web application:


  1. This diagram illustrates an unauthenticated user flow that starts with the user trying to access the Agility web application. 
  2. Agility requires an external (third-party) Service Provider. On-Premises customers are responsible for this component in addition to the Identity Provider.

The instructions below describe how to enable SAML-based SSO in an on-premises Agility instance. If your organization uses SAML-based SSO and your Agility instance is on-demand (also known as hosted or SaaS) please refer to the On-Demand Single Sign-On page.

Enabling SSO

  1. Install Agility using the default authentication.
  2. Rename the 'admin' username to match the administrator's SSO username.

  3. Add the following to appSettings in user.config (or create a user.config if it doesn't already exist):

    <add key="DelegatedAuthHeader" value="HTTP_USER"/>

    If creating a new user.config file its contents would be:

    <add key="DelegatedAuthHeader" value="HTTP_USER"/>


  4. Configure your SSO system to supply the username to Agility through HTTP_USER header variable

  5. Configure your SSO system to protect the following Agility endpoints:

    • /default.aspx

    • /downloadfile.aspx

    • /attachment.img

    • /attachment.v1

    • /export.v1

    • /assetdetail.v1

    • /ui.v1

    • /rest-1.v1

    • /roadmapping.v1

    • /*.mvc

    • /oauth.v1/auth

    • /query.legacy.v1

Several customers have chosen to configure their SSO system to secure the entire Agility virtual directory. When choosing this approach, you must disable SSO when installing or upgrading Analytics because that installer relies on two Agility endpoints that are not secure in a non-SSO environment.

Once configured, Agility authenticates users based on username supplied in HTTP_USER header variable. An 'Access Denied' message displays to users who do not have a matching username defined in Agility.


From V1 Dev Team concerning the SSO config: "Respecting the cache control headers is the right strategy."