Single sign-on (SSO)
Single sign-on (SSO) allows users to log in once on their workstation, and gain access to multiple systems without being prompted to log in again. This article provides guidelines and summarizes how to use SSO within the Dundas BI application.
There are multiple ways to accomplish single sign-on, listed below.
2. SSO with Windows logon
To enable Single Sign-On using Windows Authentication, follow the Automatic Windows Log On (SSO) example in the Configuration settings article. Once SSO is enabled, automatic logon will occur for all URLs that do not require explicit authentication. For example, navigating to http://yourinstance/ will take you directly to the home screen, whereas http://yourinstance/LogOn/ will still show the Log On screen.
For more information, see Automatic Windows Log On (SSO).
3. Federated authentication
Federated authentication behaves as Single Sign On (SSO), enabling the user to access multiple services without the need for further authentication. Authentication is possible using SAML 2.0, OpenID Connect (OIDC), Google, Microsoft, and other protocols. Automatic logon with federated authentication can be accomplished by setting the custom logon page configuration setting to the authentication URL:
For more information about single sign-on using federated authentication with automatic logon, see Enabling federated authentication.
4. Custom accounts provider
In cases where local, Windows, or federated authentication are not desired and another form of authentication is being used, a custom accounts provider can be created. A custom accounts provider manages user accounts and authentication. This is done by creating a Dundas BI .NET extension that has a class that extends ExtensionPackageInfo and another class that implements the IAccountsProvider2 interface. This will allow for single sign-on as logging on is controlled by the extension.
For more information, see Create a custom accounts provider.
5. Anonymous logon
This can be used to provide access to some or all Dundas BI content without any users needing to take any action to log on. This is commonly used to facilitate implementation of a public dashboard/reporting site or kiosk. Users are automatically logged onto a specific account specified in the application configuration settings Anonymous User Name and Anonymous Password.
For more information, see How to enable anonymous log on.
6. Embedding SSO
6.1. Embedding with SSO
When using automatic Windows logon (SSO), federated authentication with automatic logon, or anonymous logon, users will be automatically authenticated. If none of these are used and a session ID or logon token are not passed, the logon page will appear to users when Dundas BI is embedded.
For more information about embedding, see Using the Dundas BI embed library.
For a sample web application that uses server-side code to get a logon token and include it when embedding Dundas BI, see the Dundas BI viewer integration sample.
6.2. Logon using server-side call with admin credentials
It is possible to implement single sign-on using the credentials of a privileged account to create a session on behalf of another account. This is done by making a call to POST /LogOn/Token and passing EffectiveAccountName. A logon token will be returned and that will be used when embedding to acquire the session.
For more information and a working example, see POST /LogOn/Token.