Security & Compliance
Single Sign-On (SSO)
Implementing and managing Single Sign-On authentication with Prisme.ai
Single Sign-On (SSO) allows your organization to integrate Prisme.ai with your existing identity provider, enabling secure, streamlined authentication while maintaining central control over user access and permissions. This page provides comprehensive information about SSO implementation, configuration, and management in Prisme.ai.
Benefits of SSO Integration
Enhanced Security
Enforce your organization’s security policies including password requirements, MFA, and conditional access
Simplified Access
Users can access Prisme.ai without maintaining separate credentials
Centralized Control
Manage user access from your existing identity management system
Improved Compliance
Meet regulatory requirements for authentication and access control
Supported Identity Providers
Prisme.ai supports SSO integration with all major identity providers that implement standard protocols:Microsoft’s cloud-based identity and access management service:
- Azure AD Free
- Azure AD Premium P1/P2
- Microsoft Entra ID
Authentication Protocols
Prisme.ai supports the following authentication protocols for SSO:SAML 2.0
Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between an identity provider and a service provider.SAML 2.0 Flow in Prisme.ai
SAML 2.0 Flow in Prisme.ai
- User attempts to access Prisme.ai
- Prisme.ai redirects to the identity provider
- User authenticates with the identity provider
- Identity provider issues a SAML assertion
- User is redirected back to Prisme.ai with the SAML assertion
- Prisme.ai validates the assertion and grants access
Required SAML Configuration
Required SAML Configuration
To configure SAML SSO, you’ll need to provide:
- Entity ID
- ACS (Assertion Consumer Service) URL
- Login URL
- Logout URL
- Certificate for signing SAML requests
- Attribute mappings for user information
OpenID Connect (OIDC)
OpenID Connect is an authentication layer built on top of OAuth 2.0, providing a standardized way to verify user identity.OIDC Flow in Prisme.ai
OIDC Flow in Prisme.ai
- User attempts to access Prisme.ai
- Prisme.ai redirects to the identity provider with an authorization request
- User authenticates with the identity provider
- Identity provider issues an authorization code
- Prisme.ai exchanges the code for ID and access tokens
- Prisme.ai validates the tokens and grants access
Required OIDC Configuration
Required OIDC Configuration
To configure OIDC SSO, you’ll need to provide:
- Client ID
- Client Secret
- Authorization endpoint
- Token endpoint
- Userinfo endpoint
- JWKS endpoint (for token validation)
- Scope requirements
- Claims mapping for user information
Setting Up SSO for Your Organization
Follow these steps to configure SSO for your Prisme.ai instance:1
Contact Support
Reach out to your Prisme.ai account representative or support team to initiate the SSO setup process
2
Choose Protocol
Select either SAML 2.0 or OpenID Connect based on your identity provider’s capabilities and your organization’s requirements
3
Configure Your Identity Provider
Add Prisme.ai as a service provider or application in your identity provider’s dashboard
4
Exchange Configuration Information
Provide Prisme.ai with the necessary configuration details from your identity provider, and configure your IdP with information provided by Prisme.ai
5
Map User Attributes
Configure how user attributes (name, email, groups, etc.) from your identity provider map to Prisme.ai attributes
6
Test the Integration
Verify the SSO setup works correctly with test accounts before rolling out to all users
7
Deploy to Users
Once testing is successful, enable SSO for your organization’s users
User Provisioning and Deprovisioning
In addition to authentication, Prisme.ai supports automated user lifecycle management:SCIM Provisioning
System for Cross-domain Identity Management (SCIM) allows for automated user provisioning and deprovisioning:SCIM Features
SCIM Features
- Automatic user creation when provisioned in your IdP
- Real-time updates to user attributes and group memberships
- Immediate deactivation when users are removed from your IdP
- Role and permission mapping based on group membership
Supported Identity Providers for SCIM
Supported Identity Providers for SCIM
SCIM integration is available for:
- Azure AD
- Okta
- OneLogin
- Other SCIM 2.0 compatible providers
Just-in-Time Provisioning
For organizations not using SCIM, Prisme.ai also supports just-in-time (JIT) provisioning:- Users are automatically created on their first login
- User attributes are populated from the SSO identity assertion
- Permissions can be assigned based on group attributes in the assertion
Role-Based Access Control with SSO
Integrate your organization’s group structure with Prisme.ai’s permission system:1
Define Group Attribute
Configure which attribute in your identity provider contains group or role information
2
Create Role Mappings
Define how identity provider groups map to Prisme.ai roles
3
Apply Granular Permissions
Configure workspace and resource-level permissions based on roles
4
Test Access Controls
Verify that users receive appropriate permissions based on their group memberships
Multi-Factor Authentication
Enhance security with multi-factor authentication (MFA):Identity Provider MFA
Use your identity provider’s MFA capabilities with SSO
FIDO2/WebAuthn
Support for hardware security keys and biometric authentication
Time-based OTP
Compatibility with authenticator apps like Google Authenticator
Conditional Access
Apply MFA based on risk factors like location or device
SSO for Self-Hosted Deployments
For customers using Prisme.ai in their own infrastructure:On-Premises IdP Integration
On-Premises IdP Integration
Self-hosted Prisme.ai can integrate with on-premises identity providers such as:
- Active Directory Federation Services (ADFS)
- Keycloak
- OpenLDAP
- Shibboleth
Configuration Requirements
Configuration Requirements
Self-hosted deployments require:
- Network connectivity between Prisme.ai and your identity provider
- Proper certificate configuration for secure communication
- Additional configuration in your infrastructure’s reverse proxy or load balancer
Monitoring and Troubleshooting
Maintain visibility into your SSO implementation:1
Access Audit Logs
Review authentication events in the Prisme.ai audit logs
2
Monitor IdP Logs
Check your identity provider’s logs for authentication issues
3
Verify Configuration
Ensure metadata and certificates are current and correctly configured
4
Test with Diagnostic Tools
Use browser debugging tools to inspect authentication flows and identify issues
Best Practices
Follow these recommendations for a secure and effective SSO implementation:- Implement MFA: Always use multi-factor authentication with SSO
- Regularly Rotate Certificates: Update SAML certificates before they expire
- Use Groups for Authorization: Manage permissions via group membership rather than individual assignments
- Test Before Deployment: Thoroughly test SSO configuration with pilot users
- Monitor Session Duration: Configure appropriate session timeouts
- Plan for Fallback: Maintain emergency access procedures in case of IdP outages
Additional Resources
Security Compliance
Learn about Prisme.ai’s security certifications and standards
Data Privacy
Understand how Prisme.ai protects your data
Azure AD Integration Guide
Detailed guide for setting up Azure AD SSO
Okta Integration Guide
Step-by-step instructions for Okta SSO configuration
Getting Help
If you encounter issues with your SSO implementation:- Enterprise Support: Contact your dedicated support representative
- Technical Support: Submit a ticket through the support portal
- Documentation: Refer to our detailed SSO implementation guides for specific identity providers