This app is available to Basic, Premium, and Enterprise customers to set up SSO with your IDP for the Control Center.
Note: This app provides SSO authentication to the Control Center only.
Requirements
Identity Provider
SAML SSO app from the App Marketplace
Features
Not IDP-specific, customers can use the SAML SSO app with identity providers that conform to SAML standards.
The SAML SSO app is designed for user auth/SSO (single-sign-on) only, and does not support more sophisticated IDP features in our available Identity Provider apps.
No syncing of user database
No credential management
No user group management
JIT (just-in-time) user creation:
Because there is no syncing to a user database at the IDP, an authorized user may log in to the Control Center without being created in advance.
If the IDP authorizes this new user login, they will be created as a new user within the Control Center and assigned to our most restricted default role, Devices Read-Only.
An org admin must manually update the users' assigned role(s) to expand their permissions within the Control Center.
Setting up SAML SSO in your Identity Provider
The SAML SSO app requires configuration. You will need to enter the provided Assertion URL and the Audience Restriction / Entity ID in your identity provider’s SAML configuration, and three values from your Identity Provider will need to be entered in our SAML SSO app.
Avigilon Alta ID:
This is the value that an admin provides the user for logging in for the first time in regards to JIT.
Assertion URL:
The location where the SAML assertion is sent with an HTTP POST. This is often referred to as the SAML Assertion Consumer Service (ACS) URL for your application.
Audience Restriction / Entity ID:
This auto-generated value identifies your SAML audience. Add it to your Identity Provider Configuration.
SAML Settings
These values can be obtained by signing into your Identity Provider admin dashboard.
SAML SSO URL
SAML issuer
SAML certificate
Click Save
SAML SSO user login flow
Existing users put in their email addresses and click the blue Continue button to finish logging in.
New users will need to be created in the Identity Provider beforehand (see JIT).
After clicking Single sign-on (SSO) new users will enter their email and click Use Avigilon Alta ID.
This value must be provided to the user by their admin (available within the SAML SSO app config page).
If the Avigilon Alta ID is valid they are routed to their org’s IDP for authentication, and if approved they will be signed in to the org as a new user in the Devices Read-Only role.
Most users will only ever need to use Avigilon Alta ID once.
If a user ever needs to add SSO for additional Orgs using the same email address they can Use Avigilon Alta ID to do so.
Add Comment