Single Sign-On (SSO) allows your organization to integrate Prisme.ai with your existing identity provider, enabling secure, streamlined authentication while maintaining central control over user access and permissions. This page provides comprehensive information about SSO implementation, configuration, and management in Prisme.ai.

Benefits of SSO Integration

Enhanced Security

Enforce your organization’s security policies including password requirements, MFA, and conditional access

Simplified Access

Users can access Prisme.ai without maintaining separate credentials

Centralized Control

Manage user access from your existing identity management system

Improved Compliance

Meet regulatory requirements for authentication and access control

Supported Identity Providers

Prisme.ai supports SSO integration with all major identity providers that implement standard protocols:
Microsoft’s cloud-based identity and access management service:
  • Azure AD Free
  • Azure AD Premium P1/P2
  • Microsoft Entra ID
Supports both SAML 2.0 and OpenID Connect protocols.

Authentication Protocols

Prisme.ai supports the following authentication protocols for SSO:

SAML 2.0

Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between an identity provider and a service provider.
  1. User attempts to access Prisme.ai
  2. Prisme.ai redirects to the identity provider
  3. User authenticates with the identity provider
  4. Identity provider issues a SAML assertion
  5. User is redirected back to Prisme.ai with the SAML assertion
  6. Prisme.ai validates the assertion and grants access
To configure SAML SSO, you’ll need to provide:
  • Entity ID
  • ACS (Assertion Consumer Service) URL
  • Login URL
  • Logout URL
  • Certificate for signing SAML requests
  • Attribute mappings for user information

OpenID Connect (OIDC)

OpenID Connect is an authentication layer built on top of OAuth 2.0, providing a standardized way to verify user identity.
  1. User attempts to access Prisme.ai
  2. Prisme.ai redirects to the identity provider with an authorization request
  3. User authenticates with the identity provider
  4. Identity provider issues an authorization code
  5. Prisme.ai exchanges the code for ID and access tokens
  6. Prisme.ai validates the tokens and grants access
To configure OIDC SSO, you’ll need to provide:
  • Client ID
  • Client Secret
  • Authorization endpoint
  • Token endpoint
  • Userinfo endpoint
  • JWKS endpoint (for token validation)
  • Scope requirements
  • Claims mapping for user information

Setting Up SSO for Your Organization

Follow these steps to configure SSO for your Prisme.ai instance:
1

Contact Support

Reach out to your Prisme.ai account representative or support team to initiate the SSO setup process
2

Choose Protocol

Select either SAML 2.0 or OpenID Connect based on your identity provider’s capabilities and your organization’s requirements
3

Configure Your Identity Provider

Add Prisme.ai as a service provider or application in your identity provider’s dashboard
4

Exchange Configuration Information

Provide Prisme.ai with the necessary configuration details from your identity provider, and configure your IdP with information provided by Prisme.ai
5

Map User Attributes

Configure how user attributes (name, email, groups, etc.) from your identity provider map to Prisme.ai attributes
6

Test the Integration

Verify the SSO setup works correctly with test accounts before rolling out to all users
7

Deploy to Users

Once testing is successful, enable SSO for your organization’s users

User Provisioning and Deprovisioning

In addition to authentication, Prisme.ai supports automated user lifecycle management:

SCIM Provisioning

System for Cross-domain Identity Management (SCIM) allows for automated user provisioning and deprovisioning:
  • Automatic user creation when provisioned in your IdP
  • Real-time updates to user attributes and group memberships
  • Immediate deactivation when users are removed from your IdP
  • Role and permission mapping based on group membership
SCIM integration is available for:
  • Azure AD
  • Okta
  • OneLogin
  • Other SCIM 2.0 compatible providers

Just-in-Time Provisioning

For organizations not using SCIM, Prisme.ai also supports just-in-time (JIT) provisioning:
  • Users are automatically created on their first login
  • User attributes are populated from the SSO identity assertion
  • Permissions can be assigned based on group attributes in the assertion

Role-Based Access Control with SSO

Integrate your organization’s group structure with Prisme.ai’s permission system:
1

Define Group Attribute

Configure which attribute in your identity provider contains group or role information
2

Create Role Mappings

Define how identity provider groups map to Prisme.ai roles
3

Apply Granular Permissions

Configure workspace and resource-level permissions based on roles
4

Test Access Controls

Verify that users receive appropriate permissions based on their group memberships

Multi-Factor Authentication

Enhance security with multi-factor authentication (MFA):

Identity Provider MFA

Use your identity provider’s MFA capabilities with SSO

FIDO2/WebAuthn

Support for hardware security keys and biometric authentication

Time-based OTP

Compatibility with authenticator apps like Google Authenticator

Conditional Access

Apply MFA based on risk factors like location or device

SSO for Self-Hosted Deployments

For customers using Prisme.ai in their own infrastructure:
Self-hosted Prisme.ai can integrate with on-premises identity providers such as:
  • Active Directory Federation Services (ADFS)
  • Keycloak
  • OpenLDAP
  • Shibboleth
This allows organizations to maintain a completely on-premises authentication infrastructure.
Self-hosted deployments require:
  • Network connectivity between Prisme.ai and your identity provider
  • Proper certificate configuration for secure communication
  • Additional configuration in your infrastructure’s reverse proxy or load balancer
Detailed configuration guides are available for each supported on-premises identity provider.

Monitoring and Troubleshooting

Maintain visibility into your SSO implementation:
1

Access Audit Logs

Review authentication events in the Prisme.ai audit logs
2

Monitor IdP Logs

Check your identity provider’s logs for authentication issues
3

Verify Configuration

Ensure metadata and certificates are current and correctly configured
4

Test with Diagnostic Tools

Use browser debugging tools to inspect authentication flows and identify issues

Best Practices

Follow these recommendations for a secure and effective SSO implementation:
  • Implement MFA: Always use multi-factor authentication with SSO
  • Regularly Rotate Certificates: Update SAML certificates before they expire
  • Use Groups for Authorization: Manage permissions via group membership rather than individual assignments
  • Test Before Deployment: Thoroughly test SSO configuration with pilot users
  • Monitor Session Duration: Configure appropriate session timeouts
  • Plan for Fallback: Maintain emergency access procedures in case of IdP outages

Additional Resources

Security Compliance

Learn about Prisme.ai’s security certifications and standards

Data Privacy

Understand how Prisme.ai protects your data

Azure AD Integration Guide

Detailed guide for setting up Azure AD SSO

Okta Integration Guide

Step-by-step instructions for Okta SSO configuration

Getting Help

If you encounter issues with your SSO implementation:
  • Enterprise Support: Contact your dedicated support representative
  • Technical Support: Submit a ticket through the support portal
  • Documentation: Refer to our detailed SSO implementation guides for specific identity providers