Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This app is available to Basic, Premium, and Enterprise customers to set up SSO with your IDP for the Control CenterAlta Access.

Info

Note: This app provides SSO authentication to the Control Center Alta Access only.

Requirements

  • Identity Provider

  • SAML SSO app from the App Marketplace

  • Create the attribute statements listed in the app

Iframe
allowfullscreentrue
srchttps://info.openpath.com/hubfs/Openpath/images/kustomer-articles/SAML_SSO_clean.png
width403
frameborderhide
titlesaml tile
alignleft
height119
longdescSAML SSO Tile

...

  • Not IDP-specific, customers can use the SAML SSO app with identity providers that conform to SAML standards.

  • The SAML SSO app is designed for user auth/SSO (single-sign-on) only, and does not support more sophisticated IDP features in our available Identity Provider apps.

    • No syncing of user database 

    • No credential management

    • No user group management

  • Anchor
    jit
    jit
    JIT (just-in-time) user creation:

    • Because there is no syncing to a user database at the IDP, an authorized user may log in to the Control Center Alta Access without being created in advance.

    • If the IDP authorizes this new user login, they will be created as a new user within the Control Center Alta Access and assigned to our most restricted default role, Devices Read-Only.

      • An org admin must manually update the users' assigned role(s) to expand their permissions within the Control CenterAlta Access.

Setting up SAML SSO in your Identity Provider

The SAML SSO app requires configuration. You will need to create your attribute statements, email, firstName, lastName, and uniqueId. Then enter the provided Assertion URL and the Audience Restriction / Entity ID in your identity provider’s SAML configuration, and three values from your Identity Provider will need to must be entered in our SAML SSO app.

...

Assertion URL:
The location where the SAML assertion is sent with an HTTP POST. This is often referred to as called the SAML Assertion Consumer Service (ACS) URL for your application.

...

  • Existing users put in their email addresses and click the blue Continue button to finish logging in.

  • New users will need to be created in the Identity Provider beforehand (see JIT).

    • After clicking Single sign-on (SSO) newusers will enter their email and click Use Avigilon Alta ID.

      • This value must be provided to the user by their admin (it is available within the SAML SSO app config page).

...

  • If the Avigilon Alta ID is valid they are routed to their org’s IDP for authentication, and if approved they will be signed in to the org as a new user in the Devices Read-Only role.

  • Most users will only ever need to use Avigilon Alta ID once.

Info

Note: Bookmark https://control.openpath.com/loginSSO or http://control.eu.openpath.com/loginSSO to save yourself a step logging in.

If a user ever needs to add SSO for additional Orgs using the same email address they can Use Avigilon Alta ID to do so.

...