The current Openpath Jira and Confluence instances will be migrated to the MSI On-Premise solution from August 9th-11th, the current platform will be set to read-only and all future usage will be in the Avigilon Instance. Please ensure access to MSI Jira & MSI Confluence, both are accessible through OKTA. For additional information and details please refer to the Atlassian migration page

SAML SSO

Owned by Chad Fay
Last updated: Oct 25, 2024
2 min read

This app is available to Basic, Premium, and Enterprise customers to set up SSO with your IDP for Alta Access.

Note: This app provides SSO authentication to Alta Access only.

Requirements

  • Identity Provider

  • SAML SSO app from the App Marketplace

  • Create the attribute statements listed in the app

 

Features

  • Not IDP-specific, customers can use the SAML SSO app with identity providers that conform to SAML standards.

  • The SAML SSO app is designed for user auth/SSO (single-sign-on) only, and does not support more sophisticated IDP features in our available Identity Provider apps.

    • No syncing of user database 

    • No credential management

    • No user group management

  • JIT (just-in-time) user creation:

    • Because there is no syncing to a user database at the IDP, an authorized user may log in to Alta Access without being created in advance.

    • If the IDP authorizes this new user login, they will be created as a new user within Alta Access and assigned to our most restricted default role, Devices Read-Only.

      • An org admin must manually update the users' assigned role(s) to expand their permissions within Alta Access.

Setting up SAML SSO in your Identity Provider

The SAML SSO app requires configuration. You need to create your attribute statements, email, firstName, lastName, and uniqueId. Then enter the provided Assertion URL and the Audience Restriction / Entity ID in your identity provider’s SAML configuration, and three values from your Identity Provider must be entered in our SAML SSO app.

Avigilon Alta ID:
This is the value that an admin provides the user for logging in for the first time in regards to JIT.

Assertion URL:
The location where the SAML assertion is sent with an HTTP POST. This is often called the SAML Assertion Consumer Service (ACS) URL for your application.

Audience Restriction / Entity ID:
This auto-generated value identifies your SAML audience. Add it to your Identity Provider Configuration.

 

SAML Settings
These values can be obtained by signing into your Identity Provider admin dashboard.

  • SAML SSO URL

  • SAML issuer

  • SAML certificate

Click Save

SAML SSO user login flow

  • Existing users put in their email addresses and click the blue Continue button to finish logging in.

  • New users will need to be created in the Identity Provider beforehand (see JIT).

    • After clicking Single sign-on (SSO) new users will enter their email and click Use Avigilon Alta ID.

      • This value must be provided to the user by their admin (it is available within the SAML SSO app config page).

 

 

  • If the Avigilon Alta ID is valid they are routed to their org’s IDP for authentication, and if approved they will be signed in to the org as a new user in the Devices Read-Only role.

  • Most users will only ever need to use Avigilon Alta ID once.

Note: Bookmark https://control.openpath.com/loginSSO or http://control.eu.openpath.com/loginSSO to save yourself a step logging in.

If a user ever needs to add SSO for additional Orgs using the same email address they can Use Avigilon Alta ID to do so.