Skip to main content
System StatusContact Support
Digital.ai Agility Community

On-Premise Single Sign-On

Overview

This feature is available in Ultimate edition only.

editions-u.png

The content in this article applies to On-premise Digital.ai Agility instances only. If you are an On-Demand (V1 Hosted) customer, see On-Demand (V1 Hosted) System Maintenance.

SAML-based Single Sign-On is a security configuration option available to on-premises Digital.ai Agility Ultimate customers.  Using SAML, Digital.ai Agility integrates with your SSO environment and defers to your Service Provider and Identity Provider for authentication when anyone attempts to access your Digital.ai Agility instance.  This eliminates the need for separate credentials managed inside Digital.ai Agility. It also gives you better control over authentication, access and more flexibility with password rules for your users.

For additional information about SAML, please refer to the SAML SSO Overview page.

The following diagram illustrates SAML SSO using the Digital.ai Agility web application:

AgilitySSO.png

  1. This diagram illustrates an unauthenticated user flow that starts with the user trying to access the Digital.ai Agility web application. 
  2. Digital.ai Agility requires an external (third-party) Service Provider. On-Premises customers are responsible for this component in addition to the Identity Provider.

The instructions below describe how to enable SAML-based SSO in an on-premises Digital.ai Agility instance. If your organization uses SAML-based SSO and your Digital.ai Agility instance is on-demand (also known as hosted or SaaS) please refer to the On-Demand Single Sign-On page.

Enabling SSO

  1. Install Digital.ai Agility using the default authentication.
  2. Rename the 'admin' username to match the administrator's SSO username.

  3. Add the following to appSettings in user.config (or create a user.config if it doesn't already exist):

    <add key="DelegatedAuthHeader" value="HTTP_USER"/>

    If creating a new user.config file its contents would be:

    <appSettings>
    <add key="DelegatedAuthHeader" value="HTTP_USER"/>
    </appSettings>
    

     

  4. Configure your SSO system to supply the username to Digital.ai Agility through HTTP_USER header variable

  5. Configure your SSO system to protect the following Digital.ai Agility endpoints:

    • /default.aspx

    • /downloadfile.aspx

    • /attachment.img

    • /attachment.v1

    • /export.v1

    • /assetdetail.v1

    • /ui.v1

    • /rest-1.v1

    • /roadmapping.v1

    • /*.mvc

    • /oauth.v1/auth

    • /query.legacy.v1

Several customers have chosen to configure their SSO system to secure the entire Digital.ai Agility virtual directory. When choosing this approach, you must disable SSO when installing or upgrading Analytics because that installer relies on two Digital.ai Agility endpoints that are not secure in a non-SSO environment.

Once configured, Digital.ai Agility authenticates users based on username supplied in HTTP_USER header variable. An 'Access Denied' message displays to users who do not have a matching username defined in Digital.ai Agility.

 

From V1 Dev Team concerning the SSO config: "Respecting the cache control headers is the right strategy."