Page Comparison

Prism The platform now supports Okta and Azure AD single sign-on capabilities. This has been included to assist those clients that wish to centrally manage users access to platforms they operate in. Prism The platform can now be added to that list.

...

When signing up a new user, they will need to login first with their email/password to setup their 2FA for Prismthe platform. Without the 2FA set up, they won’t be able to use the SSO login.

Adding SSO for a tenant will setup that specific tenant with SSO. So any users in that tenant can now sign in with SSO, depending on how they are setup in your specific SSO Client.

...

SSO In

...

Platform

Azure

Inside the connected accounts for a tenant, we can add SSO settings for Azure. This requires the following details:

...

• Log into Azure Portal and go to the “App Registrations” page.  

• Click on “+ New Registration” in the top left of the “App Registrations” page

• Under “Name” give the new application a unique name

• Under “Supported account types” select an account type (choose “Accounts in this organisational directory only”). 

• Under “Redirect URI (optional)”, choose “Web” in the drop-down and enter the following URL:

  Code Block
  https://{tenant_name}.{tenant_region}.prism-platform.com/login/azure/callback

• Click “Register” 

• You’ll be redirected to the “Overview” page of the new application

• Within the “Overview” page, under the “Essentials” section, there will be an Application (client) ID which can be copied into the Client ID field in Prismthe platform, under the the Azure within Prism’s the platform’s Connected Account section in Prismthe platform.  

...

• Within the “Overview” page, under the “Essentials” section, there will be an Directory (tenant) ID which can be copied into the Tenant ID field in Prismthe platform, under the the Azure within Prism’s the platform’s Connected Account section in Prismthe platform.  

...

• Within the “Overview” page, under the “Essentials” section, click on “Redirect URIs”

• The “Platform Configurations” section will appear

• If not already populated from earlier step, enter the following for the “Redirect URIs”:

  1. Code Block
     https://{tenant_name}.{tenant_region}.prism-platform.com/login/azure/callback

• Under “Front-channel logout” section, enter the following URL for the “Front-channel logout URL”:

  Code Block
  https://{tenant_name}.{tenant_region}.prism-platform.com/logout

• Under “Implicit grant and hybrid flows”, select the checkbox for “ID tokens (used for implicit and hybrid flows)”

• Click “Save” and then return to the “Overview” page

• Select the “Certificates & secrets” page from the left-hand side bar

• Within the “Certificates & secrets” page, under “Client secrets”:

  1. Choose “+ New client secret”

  2. Within the “Add a client secret” section provide a Description and set your Expires timeframe

  3. Click “Add”

• Within the “Certificates & secrets” page, under “Client secrets”, a new entry for the client secret will appear.

• Next to this new secret entry, copy the string of characters under Value. The string of characters should be copied in the Client Secret field in Prismthe platform, under the the Azure within Prism’s the platform's Connected Account section in Prismthe platform.

...

• Under Prismthe platform, click “Save Changes” to commit the configuration to the Prism platform tenant. This will assign this Azure configuration to the tenant:

...

• Within Azure, choose “API permissions” page from the left-hand side bar

• Under the “Configured permissions” section. There should be a “User.Read” entry within the “Microsoft Graph” permission.

• This “User.Read” permission requires admin rights. Click on “Grant admin consent for {Company}“. This is so the application is allowed to the read the user's details for signing into Prismthe platform. If this isn’t selected then the application won’t be able to sign into Prismthe platform.

Restricting Azure to specific users

...

1. Go to the overview page 

2. Find “Manage application in local directory” and click on your application name, this will take us through to the application properties page. 

3. On the left hand bar, under Manage, click on Properties.  

4. Scroll down and there is a property called “Assignment required?” change this to “Yes”. 

5. Click Save 

6. Click on Users and Groups on the side panel. Here we will assign the users we want to allow access to this SSO login.  

   1. Click “Add user/Group” and select the users we want to allow.  

   2. Select the users you want to allow and press “Select” at the bottom. 

   3. This should update the page with the users selected, click “Assign” at the bottom. 

   4. You should now see the list of users allowed to use the application. 

7. Any user not assigned to this list will not be allowed access to the SSO login, Prism the platform will redirect them to Azure, but they will hit an error page and will have to return to Prismthe platform.

...

Setting up Okta SSO

...

1. When in the admin panel, we will need to create a new application.

2. In the side panel, click on “Applications”

3. Click “create new web integration”

4. Click on “OIDC - OpenID Connect” and click “Web Application”, click next, this will take us to the application page.

5. First we should give our app a name.

6. For the Grant:

   1. Click on “Client Credentials”

   2. Click on “Implicit (Hybrid)”

7. Under “Sign in redirect url” enter:

   Code Block
   https://{tenant_name}.{tenant_region}.prism-platform.com/login/okta/callback

8. Under “Sign out redirect url” enter:

   Code Block
   https://{tenant_name}.{tenant_region}.prism-platform.com/login

9. Under “Assignments” we can either allow all access to individuals in the Okta tenant, or add a group to allow specific individuals to access Prismthe platform.

10. Click “Save” when finished.

11. When we have finished setting up Okta. We need to copy a few items into Prism the platform to setup the tenant to allow SSO.

12. We need the “Client ID”, “Client Secret“, and the “Base URL“.

13. The Client ID can be found at the top of the page on the General page of the application

14. The Client Secret is on the same page, just underneath

15. The Base URL is set when you sign up to Okta, this can be found under the pop-out of the admin page at the top right. If you click on your account name it will dropdown with the account details. It will look like “*****.okta.com”. This is used by Prism the platform to call your specific Okta tenant for the user details when signing in. This should be prefixed with https://, so https://mytenant.okta.com

16. Go back to Prism the platform and set up Okta under the connected accounts using the above information. This will setup SSO for the tenant.

...

1. Under the “General” Tab, scroll to the bottom to find “Federation mode”. If this is enabled, then we can disable this and setup specific assigned users.

2. Go to the “Assignments” tab

3. You should see a table and an “Assign” button. Click this and a modal will pop up with a list of users in your directory.

4. You can assign users here and this list will be the users that can sign in with Okta SSO.

...

Restricting Users using SSO in

...

Platform

Within Prismthe platform, under the “Users” section, we can assign a flag on a user to only allow them access to a tenant when they sign in with SSO. This means that if a user signs into Prism the platform using a traditional email/password then they won’t be able to access the tenant that they are setup on with “SSO Only”.

If a user signs in with email/password and the user is assigned to one tenant with “SSO Only”, then they won’t be able to sign into Prismthe platform, and will be shown a message on the login screen.

...

Signing in with SSO allows access to all tenants the user is associated with.

...

Logging into

...

Platform

After setting up SSO, you will be able to sign in from the login page using SSO.

When clicking the “Login with SSO” button, the user will then need to supply their email address, this will now be case sensitive and needs to match the case of the email address in the users profile. Clicking next will take us to the the Prism platform 2FA page. When completing 2FA, the user will be presented with SSO options, depending on the SSO that has been setup for the tenants that they are associated with.

Clicking on either Azure/Okta will take the user to the respective directories. If they are successful then they will redirected and logged into Prismthe platform. If not, they will see a screen letting them know what happened, or will be redirected back to Prismthe platform.

...

Troubleshooting

Azure

When signing into Azure, if a user hits a page that says that the application needs admin permission to sign in then Azure doesn’t have the correct permissions. Sign into Azure and go to “API permissions” on the side bar and Click on “Grant admin consent to {Company}“. This allows the app to read the user details and send them to Prism the platform to read their email.

Okta

If a user is trying to sign in and they don’t have permissions. The “Federation mode” may be disabled and no users have been assigned to the directory. This means that the Okta directory has been setup to restrict users, but that specific user hasn’t been given access. If “Federation mode” is enabled then the user can sign in as long as they are assign to the Okta directory.