Rather than maintaining separate login details for the Data8 website, you can use a single sign on (SSO) system. This allows you to reuse your existing logins for another system to provide access to the Data8 website. This is of particular benefit when:
- you have a large number of users to maintain
- you have specific security requirements
By using your own SSO system you can enforce requirements such as MFA and ensure that a user's access is revoked when they leave the company.
You can choose to use either Microsoft Azure Active Directory or your own SAML-compatible identity provider for single sign on.
By configuring SSO, you are delegating responsibility for creating new users on your account to your identity provider system. Any user that is authenticated by the identity provider will be able to access your account and the associated data.
If your company already uses Microsoft Azure AD, this is the simplest method for configuring SSO.
On the federated authentication configuration page, click the "Connect" button under Azure Active Directory. You'll be asked for consent to allow the Data8 Website to sign you in:
Tick the "Consent on behalf of your orrganisation" option so other users will be able to use this sign-in option in future without having to go through this consent step individually, then click Accept.
You will now be set up to use Azure AD authentication, and your existing Data8 login will be automatically linked to your Azure AD account.
AD FS Configuration
If you don't use Azure AD you can use any SAML2 compatible identity provider, but the instructions below are specific to the Microsoft AD FS system.
Your AD FS administrator will first need to add a Relying Party Trust to the Data8 website. In the AD FS Management control panel, select Relying Party Trusts, then click Add Relying Party Trust. Select the "Claims Aware" option and click Start.
In the Federation Metadata Address field, enter https://www.data-8.co.uk/saml2/discovery:
Click Next until you reach the "Choose Access Control Policy" page. At this point you can select who should be able to access the Data8 website. The default is to allow all users, but you may want to restrict this to users in a particular security group.
Click Next to the end of the wizard, then click Finish. You should now see the Claims Issuance Policy window. Click on the Add Rule button and select the "Transform an Incoming Rule" option. Configure the rule as follows:
- Incoming claim type: UPN
- Outgoing claim type: Name ID
- Outgoing name ID format: Persistent Identifier
Click Finish, then OK to save the changes. The AD FS setup is now complete.
You now need to link your account on the Data8 website to your AD FS. On the federated authentication configuration page, enter the metadata URL for your AD FS server. This will normally be in the format https://sts.your-company.com/federationmetadata/2007-06/federationmetadata.xml. Click Update to save your settings.
Logging in with SSO
Users that already have a login to your account can go to the login page as normal and enter their username. After entering their username they will be redirected to your configured identity provider to log in, then returned to the Data8 website.
New users that do not already have a login to the Data8 website can instead use the login link that is shown in the Federated Authentication section of the security settings page.
The first time a user logs in with SSO they will be shown a page to either associate their SSO login with an existing Data8 website login, or create a new user account. Users that have previously had access to the Data8 website using a username and password can enter this now to link their SSO login to that account and continue accessing the site as normal. New users that do not have an existing Data8 login need to fill in the quick registration form with their name and contact details. They'll be sent an email to confirm their login, and another email will be sent to administrators within the account to notify them that a new user has been added.
Subsequent logins using SSO will bypass this step. The user will be logged in automatically without requiring any further interaction on the Data8 website.