SSO (Single Sign-On) - Intergraph Smart API Manager - 2020 (4.0) - Help

Intergraph Smart API Manager Help
Language
English
Product
Intergraph Smart API Manager
Search by Category
Help
Smart API Manager Version
4.0

Single sign-on is an authentication process allowing a user to access multiple applications via a single set of credentials. For example, consider Google. Once you log in (authenticate) with Google, you can access all of your data using various Google apps: mail, docs, calendar, photos, etc. You can move seamlessly between the applications based on a single login.

Smart API Manager also supports SSO via authentication with an external identity provider. See Identity providers for complete information.

SSO example with IWA

For example, many corporations use Windows with Active Directory (AD). A corporate user has AD identity simply by logging into a corporate network domain. Smart API Manager is preconfigured with an external identity provider called Integrated Windows Authentication (IWA) that uses AD identity.

A client application can default to a specific identity provider by passing a query parameter like the following (this example specifies the IWA provider):

Name: acr_values

Value: idp:F53ECC91-08DB-4B4A-8C40-99C6B4D010DD

A web application (like SPF Web Client) can be configured to call Smart API Manager to include this information when requesting an access token. In this case, the regular sign-in page is bypassed, and the user is forwarded directly to the selected identity provider. For example, if acr_values is set to the Integrated Windows Authentication (IWA) provider, access is granted to the application automatically, assuming:

  • the user's AD identity has been authorized for access to the requested resources, and

  • the user is logged into the domain.

SHARED Tip You must add AD credentials to a Group authorized to access the desired API resources. See Add an external identity user to a group for details. For IWA, external identity is in the form of:

  • DOMAIN\username

  • DOMAIN\group_name

Smart API Manager supports external identity providers based on the following protocols: OpenID Connect, SAML 2.0, and WS-Federation. Applications can specify any configured external identity provider as the default for SSO. However, if the user is not currently authenticated with the specified provider, they must log in.