- 16 Sep 2022
- 2 Minutes to read
- Contributors
- Print
- PDF
Delegated authentication
- Updated on 16 Sep 2022
- 2 Minutes to read
- Contributors
- Print
- PDF
We now support integration to third party authentication systems for production deployments. If this is of interest to you, please reach out to us on Intercom!
Why is it cool?
People don't want to have a bunch of login information to remember (and we honestly would prefer not to have to handle their passwords), so this feature allows us to integrate with your company's existing IT systems to validate users are whom they say they are.
AuthN vs AuthZ
What we're taking about is authentication (AuthN), which is identity confirmation. Analytics is still responsible for authorization (AuthZ), making sure you only get the privileges granted to you, and does not currently delegate that responsibility.
Why do you care that we do AuthZ?
Because it means an admin still needs to create users in Analytics, assign them a role and optionally to user groups. Users that have not been onboarded will not get access to Analytics.
What types of integrations do you support?
Skylight Analytics works with OpenID and SAMLv2 providers at the moment. Does your Identity Provider not support one of those two? Let us know!
What it does it look like?
Here is an example of one of our labs integrated with Accedian's Gsuite via OpenID. The login page simply suggests to use your Google credentials.
Users are then re-directed to the OpenID providers landing page (in our case, Google's sign-in).
Then you're in!
How does it work?
- User goes to the Analytics login page, selects the auth provider link configured for the deployment.
- Their browser will re-direct them to the auth provider
- They select/prove their identity with the auth provider and get redirected back to Analytics.
- The auth provider has already been integrated with Analytics and sends us a valid auth token for that user.
- The user is IN! Any requests they perform will be validated again the token provided.
Note about CAS
We like using open source components, and our Auth engine is no exception. We use an open source project called CAS for enterprise single sign-on. It's feature rich and well supported by the community.
What about the APIs!
True, using a delegated auth provider does also remove the ability to authenticate via API using login/password. So for these deployments, we support token generation! We'll soon implement self-management of these tokens, but for now if you need one, contact our Customer Success Managers via Intercom to get one.
© 2024 Cisco and/or its affiliates. All rights reserved.
For more information about trademarks, please visit: Cisco trademarks
For more information about legal terms, please visit: Cisco legal terms
For legal information about Accedian Skylight products, please visit: Accedian legal terms and tradmarks