Single Sign On
Rather than maintaining separate login details for the Data8 website, you can use a single sign on (SSO) system. This allows you to reuse your existing logins for another system to provide access to the Data8 website. This is of particular benefit when:
- you have a large number of users to maintain
- you have specific security requirements
By using your own SSO system you can enforce requirements such as MFA and ensure that a user's access is revoked when they leave the company.
By configuring SSO, you are delegating responsibility for creating new users on your account to your identity provider system. Any user that is authenticated by the identity provider will be able to access your account and the associated data.
You can use any SAML-compatible SSO system. Instructions for configuring Azure Active Directory and AD FS are included below.
An Azure AD administrator will first need to create and configure an Enterprise Application. This can be done in the Azure Portal.
In the list of Enterprise Applications, click "New application", then choose "Create your own application". Enter a name for the application such as "Data8 Website" and select the "Integrate any other application you don't find in the gallery" option, then click Create.
Select "Users and groups" from the left hand menu and add the users you want to be able to access the Data8 website. You may also want to add a new group and use the self-service options to allow users to request access themselves.
Select "Single sign-on" from the left hand menu, then choose "SAML".
Download our SAML metadata from https://www.data-8.co.uk/saml2/discovery, then click "Upload metadata file" and select the file you've just downloaded. Click Add and the updated SAML options will be displayed. Click Save.
The Azure AD configuration is now complete. Copy the "App Federation Metadata Url" from section 3 "SAML Signing Certificate" on this page and enter it on the federated authentication configuration page. Click Update to save your settings.
AD FS Configuration
Your AD FS administrator will first need to add a Relying Party Trust to the Data8 website. In the AD FS Management control panel, select Relying Party Trusts, then click Add Relying Party Trust. Select the "Claims Aware" option and click Start.
In the Federation Metadata Address field, enter https://www.data-8.co.uk/saml2/discovery:
Click Next until you reach the "Choose Access Control Policy" page. At this point you can select who should be able to access the Data8 website. The default is to allow all users, but you may want to restrict this to users in a particular security group.
Click Next to the end of the wizard, then click Finish. You should now see the Claims Issuance Policy window. Click on the Add Rule button and select the "Transform an Incoming Rule" option. Configure the rule as follows:
- Incoming claim type: UPN
- Outgoing claim type: Name ID
- Outgoing name ID format: Persistent Identifier
Click Finish, then OK to save the changes. The AD FS setup is now complete.
You now need to link your account on the Data8 website to your AD FS. On the federated authentication configuration page, enter the metadata URL for your AD FS server. This will normally be in the format https://sts.your-company.com/federationmetadata/2007-06/federationmetadata.xml. Click Update to save your settings.
Logging in with SSO
Users that already have a login to your account can go to the login page as normal and enter their username. After entering their username they will be redirected to your configured identity provider to log in, then returned to the Data8 website.
New users that do not already have a login to the Data8 website can instead use the login link that is shown in the Federated Authentication section of the security settings page.
The first time a user logs in with SSO they will be shown a page to either associate their SSO login with an existing Data8 website login, or create a new user account. Users that have previously had access to the Data8 website using a username and password can enter this now to link their SSO login to that account and continue accessing the site as normal. New users that do not have an existing Data8 login need to fill in the quick registration form with their name and contact details. They'll be sent an email to confirm their login, and another email will be sent to administrators within the account to notify them that a new user has been added.
Subsequent logins using SSO will bypass this step. The user will be logged in automatically without requiring any further interaction on the Data8 website.