Configuring Sign-in Authentication

The Company Dashboard Authentication page allows account Administrators to configure and enable Single Sign-On (SSO) capabilities for your Altium account, and includes support for SCIM (System for Cross-domain Identity Management) user and group provisioning, which automates the exchange of identity data between your company and its Identity Provider (IdP).

This backend configuration system allows account administrators to establish, test, enable and disable the SSO capability for company users. The SSO option is available when signing in to Altium Designer, AltiumLive, and an Altium 365 Workspace. When set up for account users, SSO offers the convenience of signing in to Altium software and services using the same set of credentials that apply to your company-wide systems.

This backend configuration system allows account administrators to establish, test, enable and disable the SSO capability for company users. The SSO option is available when signing in to Altium NEXUS and AltiumLive.

SAML Single Sign-On

When configured and enabled in the Dashboard, the SSO system establishes authorized identities from your company's nominated Identity Provider (IdP), for example Okta, OneLogin, etc, with the ID assertion communications based on the standardized Security Assertion Markup Language (SAML 2.0). The SSO sign-in interface for your company, if not already in place, is usually based on a template or example provided by the IdP – this instigates the SAML-based authentication assertion exchanges and provides access to company services.

In its default state, the Dashboard Authentication page shows the preconfigured URLs for the AltiumLive SSO service (1. Altium metadata configuration), and the option to upload or manually enter your IdP's authorization connection data (2. SAML Identity Provider Configuration).

The IdP configuration metadata, to be uploaded as shown above, should be available from your Identity Provider once it is set up for integration with your company services.

Identity Provider Integration Examples

Expand the collapsible section below for a step through example of the integration process for a typical Identity Provider (OneLogin):

Expand the collapsible sections below for step-through examples of the integration and provisioning process for a typical Identity Provider (Okta):

Expand the collapsible section below for a step through example of the integration and provisioning process for Microsoft Azure as an Identity Provider:

Expand the collapsible section below for a step through example of the integration process for JumpCloud as an Identity Provider:

Expand the collapsible section below for a step through example of the integration process for Microsoft AD FS as an Identity Provider:

Expand the collapsible section below for a step through example of the integration process for AWS IAM as an Identity Provider:

Dashboard SSO Configuration

To configure the SSO system in the Dashboard (if not already completed), use the button on the Authentication page to locate and upload the SAML IdP configuration XML file generated by your company's IdP – see IdP integration examples above. Alternatively, use the enter manually link to add the individual elements (security certificate and URLs) of the configuration.

An uploaded IdP XML file is parsed by the system to extract the main configuration fields (X509 Certificate, Identity Provider Issuer URL, and IdP Single Sign-On URL), which can be manually edited if required ().

SSO is not enabled until an Integration Test is run, which is invoked by the button. This verifies the SSO identity process and your company's SSO sign-in, and then provides a confirmation message that includes the option to inspect the SAML authorization result ().

Back in the Authentication page, the configuration validity check is reported as successful and the Altium account's Single Sign-On capability can be enabled (). If SSO is subsequently disabled, either manually or in response to a configuration change, the button becomes available so the test process can be repeated.

Note that the user Provisioning section is preconfigured with Altium's SCIM settings in order to support User/Group provisioning through your company's Identity Provider (IdP), such as Okta, OneLogin, etc.

Important: The required User Profile attributes for successful Provisioning are:

  • First name
  • Last name
  • Email – preferably a user’s work email address.
  • Username – on the Altium side, this is the user Email attribute.

Authentication Methods

Along with providing a setup interface for configuring Altium SSO connectivity, the Dashboard Authentication page also provides global and individual control over the full range of user sign-in options – namely; traditional Email/Password, Google® and Facebook® sign-in, and Single Sign On via your organization's Identity Provider. The options enabled in the Authentication methods section of the page determine the sign-in methods available to all your organization's Altium account users.

The system's response to user sign-in will depend on the enabled Authentication options:

  • When SSO is enabled for users but another method is disabled (say, Email/Password), an attempt to sign in using that method will default to the SSO procedure.
  • When SSO is disabled, attempting to sign in using another disabled method (say, Email/Password) will result in an error message.

  • When SSO is disabled, attempting to sign-in using SSO will result in an error message.

Sign-in options can be configured for an individual user by editing the settings in their Dashboard account entry. Select the button on the user's Dashboard Users page to access their sign-in override options. These settings, when edited with the Override Authentication methods option enabled, will take precedence over the global sign-in settings on the Authentication page for this user only. Click the button to confirm a change to the settings.

The Authentication Override settings might be used where SSO is the enforced sign-in method for an organization (all other options are disabled, globally), but an individual user requires a specific type of sign-in access – email/password only, for example.

Individual user sign-in methods that have been specified with the Override Authentication methods settings (as above) can be restored to their defaults with the Reset users overrides option in the Authentication methods section of the Authentication page. This will reset the individual sign-in settings for all users to the global authentication methods that are currently selected on the Authentication page.

If you find an issue, select the text/image and pressCtrl + Enterto send us your feedback.
Note

The features available depend on your Altium product access level. Compare features included in the various levels of Altium Designer Software Subscription and functionality delivered through applications provided by the Altium 365 platform.

If you don’t see a discussed feature in your software, contact Altium Sales to find out more.

Content