How to setup & manage SSO in XY Application
XY Sense supports SSO (Single Sign On) integration for identity providers that support Open ID Connect or SAML2.0, this enables ease of logging into the XY Sense application via SSO removing the need to maintain multiple logins. SSO integration enables IT administrators to manage & configure access to the XY Sense Application.
Prerequisite
- Your SSO provider must support Open ID Connect (OIDC) or SAML2.0
- Let XY Sense know you would like to enable SSO for your organisation via Zendesk 'Leave a Message' in the web-app or emailing XY Sense
- You need to have completed Set up instructions for your Identity Provider
- You need these values ready
- For OIDC - Client ID, Client Secret and Issuer (Your SSO domain) from your ID Providr
- For SAML2.0 - Metadata URL
- You need to have access to the XY Application with
CustomerAdminpermission to complete the integration
| Identity Provider | Setup Instructions |
| Okta |
How to Setup SSO for Okta ->
|
| Microsoft Azure AD (SAML2.0) | How to Setup SSO for Azure AD (SAML2) -> |
| Microsoft Azure AD (Open ID Connect) | How to Setup SSO for Azure AD (ODIC) -> |
| Other providers | We also support all other SSO providers that use either Open ID Connect or SAML2.0. You can use the parameters from the Azure AD example. |
Enable SSO integration in XY Application
- Log into your account on the XY Application https://app.xysense.io/
- Go to Admin > Single Sign On (from Left-hand bar) - If you do not see this option. Please contact support@xysense.com to enable this for your instance.
- Click Configure SSO button
Choose OpenID Connect or SAML2
-
- For OpenID Connect - Enter the Client ID, Client Secret and Issuer (Your SSO domain) in the input fields
- For SAML2 - Enter the Metadata URL in the input field
- Enter the Sign in Display Name (Shows on the 'Sign in with ____' button)
User Permissions Options
There are three options for permission management in XY Sense
Option 1: Delegate to Identity Provider
Delegation of permissions and/or building restrictions managed by SSO Identify provider
If you have a large number of users you wish to utilise specific aspects of the XY Sense platform, it's possible to use delegated permissions and building restrictions.
This means for permissions managed within the Identity Provider, a 3rd attribute roles will need to be setup in the IdP, comprised of one or more XY Sense permissions. (Details on what they are can be found here)
NOTE: if you have a previously configured SSO integration, you will either need to disable that and start fresh to allow delegated claims, or you can contact your Customer Success Manager to have our support team assist you in re-configuring the setup.
To allow building claims - Under IdP building restriction name, enter the name of the attribute your IdP will provide to configure building access in XY
If allowing building claims:
- In order to grant access to all buildings, the attribute selected above must contain the text 'all'
-To limit to specific buildings, the attribute must contain the list of required building ids, separated by a tilde (~)
-A missing or blank claim will result in the user having no access
Option 2: Use XY Sense platform- default permissions and all buildings access
Permissions managed via XY Sense platform with default permissions and all buildings access
This option is useful when the number of users you expect into the XY Sense platform is large, but the required permissions level will not need to be precisely managed.
This means your users will be able to access some platform functionality, with no buildings restrictions on first login. Option here to select the permissions you would like first time SSO users to be granted when logging into the XY Application.
We recommend ViewLive and ViewSpaces as the starting point.
-
ViewLive- enables users to view the 'Live tab' - real-time live view of occupancy & detections for any given site/floor -
ViewSpaces- enables users to view the 'Buildings tab' - overview of all the sites, floors and their floor plans and mapped spaces.
Option 3: Use XY Sense platform - no default permissions, no buildings access
Permissions managed via XY Sense platform with no default permissions, no buildings access
This option is useful when the number of users you expect into the XY Sense platform is not large, but you'd like the added security of SSO authentication.
SSO users will not see anything within the application until permissions are assigned and configured by admins for each individual user in Admin>Users
Information on XY Sense Permissions can be found here
The SSO integration is enabled now and all assigned employees can login via your identity provider. Please contact the support team in case of any problem.
Disable SSO integration in XY Application
Log into the XY Application and go to Admin>Single Sign on
Click the Disable button
The SSO integration is now disabled - all users that previously accessed the app via SSO will not be able to access the XY Application. SSO must be re-enabled for access into the XY Application or users must setup another account and be invited to login to the application via email & password - please contact XY Sense Support.
Comments
0 comments