Configuring Sign-in Authentication through the Altium Dashboard

Created: August 12, 2020 | Updated: August 5, 2021
All Contents

Parent article: Altium Dashboard

The Altium Dashboard Authentication page allows account Administrators to configure and enable Single Sign-On (SSO) capabilities for your AltiumLive account, and includes support for SCIM (System for Cross-domain Identity Management) user and group provisioning, which automates the exchange of identity data between your company and its Identity Provider (IdP).

This backend configuration system allows account administrators to establish, test, enable and disable the SSO capability for company users. The SSO option is available when signing in to Altium Designer, AltiumLive, and an Altium 365 Workspace.

The SSO functionality is not available if your level of software access is Altium 365 Standard.

► See Single Sign On for information on user SSO with Altium Designer.

SAML Single Sign-On

When configured and enabled in the Dashboard, the SSO system establishes authorized identities from your company's nominated Identity Provider (IdP), for example Okta, OneLogin, etc, with the ID assertion communications based on the standardized Security Assertion Markup Language (SAML 2.0). The SSO sign-in interface for your company, if not already in place, is usually based on a template or example provided by the IdP – this instigates the SAML-based authentication assertion exchanges and provides access to company services.

In its default state the Dashboard Authentication page shows the preconfigured URLs for the AltiumLive SSO service (1. Altium metadata configuration), and the option to upload or manually enter your IdP's authorization connection data (2. SAML Identity Provider Configuration).

The IdP configuration metadata, to be uploaded as shown above, should be available from your Identity Provider once it is set up for integration with your company services.

Identity Provider Integration Examples

Expand the collapsible section below for a step through example of the integration process for a typical Identity Provider (OneLogin):

Integration with OneLogin as the identity provider

Adding a SAML Application:

  1. Login into OneLogin as an administrator.
  2. Select Applications and then Add Apps.

  1. Search for 'SAML' and select the SAML Test Connector (Advanced) IdP application option.

  1. Specify an application name (Display Name). This is for display purposes only.
  2. Click the Save button.

  1. Copy () the Entity URI and Single Sign On URL (Assertion Consumer Service) entries from AltiumLive Dashboard Authentication page to the fields as specified below.

In the OneLogin application setup:

  • Paste the above Entity URI (service provider name) as the Audience (EntityID) URL.
  • Paste the above Single Sign On URL (Assertion Consumer Service) as the ACS (Consumer) URL Validator.
  • Also paste the Single Sign On URL (Assertion Consumer Service) as the ACS (Consumer) URL.
  • The RelayState, Recipient, Single Logout URL and Login URL fields may be left blank.
  1. Ensure that the SAML nameID format option is set to Email, and the SAML signature element is set to Both. Click the Save button to confirm the settings.

  1. Click the More Actions button and then the SAML Metadata menu option to download the Identity Provider SAML metadata as an XML file.

  • This metadata file will be uploaded in the Authentication page of the Altium Dashboard to configure the OneLogin SSO service – see below.
  • If the preference is to set up the OneLogin SSO service manually in the Altium Dashboard, the required parameters can be found by selecting the SSO menu option in the OneLogin application interface.

  1. The follow-up steps would be to add users, and assign the application to those users.

Expand the collapsible section below for a step-through example of the integration process for a typical Identity Provider (Okta):

Integration with Okta as the Identity Provider

Adding a SAML Application:

  1. Sign in to Okta as an administrator.
  2. Click the Admin link/button and then the Add Application button under company Applications.

  1. Click the Create New App button.

  1. Select SAML 2.0 as the Sign-on method.

  1. Specify an App name. This is for display purposes only.

  1. Note the Single Sign On URL (Assertion Consumer Service) and Entity ID entries in the AltiumLive Dashboard Authentication page.

  1. Copy () and paste the Dashboard Single Sign On URL entry into the Okta SAML Settings Single sign on URL field.
  2. Copy () and paste the Dashboard Entity ID entry into the Okta SAML Settings Audience URI field.
  • A Default RelayState entry is not required.

  1. Set the remaining fields as follows:
  • The Name ID format is EmailAddress.
  • The Application username is (Okta) Email.
  • In the ATTRIBUTE STATEMENTS section, set the Name field to: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress and the Value to: user.email

  1. Click the Next button and select the ..Okta customer adding an internal app option.

  1. Click the Finish button.

  • Click the Identity Provider metadata link and save the metadata XML to your computer, or click the View Setup Instructions button for manual setup options.
  • In the SAML Identity Provider configuration section of the Altium Dashboard Authentication page, upload the saved metadata XML file or use the enter manually link to setup the individual sections – see below.

Expand the collapsible section below for a step through example of the integration process for a typical Identity Provider (Microsoft Azure):

Integration with Microsoft Azure Active Directory

SAML Application:

1. Sign in to the Microsoft AAD portal.

2. Select More services and then the Enterprise applications option.

3. Create your own application.

4. Select Users and groups and then Add user/group.

5. Select Single sign-on, Step 1, and then Edit.

6. Copy () Entity ID and Single Sign On URL from the Dashboard Authentication page.

7. Paste the copied strings into the Entity ID and Assertion Consumer Service URL fields in the Azure App Save area. Make sure the Default boxes are checked for these fields, and then save the configuration.

8. Download the created Metadata XML.

9. Upload the Metadata XML to the Authentication page, and then test the SAML integration connection.

Provisioning:

1. In the Azure app management screen, select Provisioning in the left panel and then the Get started button.

2. Set Provision MODE to Automatic.

3. Set Tenant URL to the Base URL shown in the Altium Dashboard Authentication page (see below).

4. Set Secret Token to the API Token shown in the Dashboard Authentication page (see below).

5. Click the Azure Provisioning Test Connection button, and if the credentials are successfully authorized, Save the configuration.

6. In the Mappings section, there are two selectable sets of attribute mappings – one for Group objects and one for User objects.

7. Select each mapping to review the attributes that ar8. e synchronized from Azure Active Directory to your app. The attributes selected as Matching properties are used to match the users and groups in your app for update operations. Select Save to commit any changes.

You can optionally disable syncing of group objects by disabling the Groups mapping.

8. Under Settings, the Scope field defines which users and groups are synchronized. Select Sync only assigned users and groups (recommended) to only sync users and groups assigned in the Users and groups page.

9. Once your configuration is complete, set the Provisioning Status to On.

10. Select Save to start the Azure AD provisioning service.

Dashboard SSO Configuration

To configure the SSO system in the Altium Dashboard, use the button on the Authentication page to locate and upload the SAML IdP configuration XML file generated by your company's IdP – see IdP integration examples above. Alternatively, use the enter manually link to add the individual elements (security certificate and URLs) of the configuration.

An uploaded IdP XML file is parsed by the system to extract the main configuration fields (X509 Certificate, Identity Provider Issuer URL, and IdP Single Sign-On URL), which can be manually edited if required ().

SSO is not enabled until an Integration Test is run, which is invoked by the  button. This verifies the SSO identity process and your company's SSO sign-in, and then provides a confirmation message that includes the option to inspect the SAML authorization result ().

Back in the Authentication page, the configuration validity check is reported as successful and the Altium account's Single Sign-On capability can be enabled (). If SSO is subsequently disabled, either manually or in response to a configuration change, the  button becomes available so the test process can be repeated.

Note that the user Provisioning section is preconfigured with Altium's SCIM settings in order to support User/Group provisioning through your company's Identity Provider (IdP), such as Okta, OneLogin, etc.

Authentication Methods

Along with providing a setup interface for configuring Altium SSO connectivity, the Dashboard Authentication page also provides global and individual control over the full range of user sign-in options – namely; traditional Email/Password, Google® and Facebook® sign-in, and Single Sign On via your organization's Identity Provider. The options enabled in the Authentication methods section of the page determine the sign-in methods available to all your organization's Altium account users.

The system's response to user sign-in will depend on the enabled Authentication options:

  • When SSO is enabled for users but another method is disabled (say, Email/Password), an attempt to sign-in using that method will default to the SSO procedure.
  • When SSO is disabled, attempting to sign-in using another disabled method (say, Email/Password) will result in an error message.

  • When SSO is disabled, attempting to sign-in using SSO will result in an error message.

Sign-in options can be configured for an individual user from within their Dashboard account entry, accessed from the Dashboard Users page. These settings, when activated by checking the Override Authentication methods option, will take precedence over the global sign-in settings on the Authentication page for this user only. Click the button to confirm a change to the settings.

The Authentication Override settings might be used where SSO is the enforced sign-in method for an organization (all other options are disabled, globally), but an individual user requires a specific type of sign-in access – email/password only, for example.

Individual user sign-in methods that have been specified with the Override Authentication methods settings (as above) can be restored to their defaults with the Reset users overrides option in the Authentication methods section of the Authentication page. This will reset the individual sign-in settings for all users to the global authentication methods that are currently selected on the Authentication page.

Found an issue with this document? Highlight the area, then use Ctrl+Enter to report it.

お問合せ

お近くの営業所にお問合せください。

We're sorry to hear the article wasn't helpful to you.
Could you take a moment to tell us why?
200 characters remaining
You are reporting an issue with the following selected text
and/or image within the active document: