Third-party SSO

SSO authentication for the Plixer Endpoint Analytics web interface has been tested with the following third-party identity providers:

  • Microsoft Azure Active Directory

  • Google

  • Okta

Important

Before configuring SSO in the web interface, the identity provider must be set to accept authentication requests from Plixer Endpoint Analytics.

To configure the Plixer Endpoint Analytics web interface to route authentication through a third-party identity provider, follow these steps:

  1. Navigate to Configuration > Identity Providers, and then select Add Identity Provider.

  2. On the Add Identity Provider page, enter the following details:

    • Name: Unique, internal name for the provider/service

    • Client ID: ID assigned to the app registration in the identity provider console (also called the application ID)

    • Discovery Document Endpoint: OpenID Connect metadata document URL (should end in /.well-known/openid-configuration)

    • (Optional) Authorized Groups: Comma-separated list of users with SSO access (no authorization restrictions if left blank)

  3. Tick the radio button to select the default access level to assign when users log in for the first time (will not affect existing users).

  4. Tick the Verify Token Signature checkbox to require verification of the integrity of tokens used during SSO (not supported by all identity providers).

  5. Tick the Enable checkbox to activate SSO via the identity provider, and then click Save.

After SSO has been configured and enabled, attempts to log in via https://<appliance_ip> will be redirected to the identity provider currently enabled.

Managing identity providers

Selecting List Identity Providers from the Identity Providers configuration submenu will open a summary page listing all identity providers currently configured within the system.

From this page, the following actions can be performed:

  • Adding a new identity provider

  • Editing the settings of a configured identity provider

  • Enabling/disabling identity providers

  • Deleting identity provider configurations

  • Exporting identity provider data in XML or CSV format

Hint

To revert to local user authentication for the web interface, either delete or disable all identity providers through the Edit Identity Provider page for each provider. This deletes all accounts created through SSO authentication, and only locally created accounts (and the administrator account) retain access to the web interface.