MicroStrategy ONE

Enable Single Sign-On with SAML Authentication

Prerequisites

Workstation is deployed with standard authentication and the environment connection is established.

Enable Single Sign-On with SAML Authentication

For information on enabling SAML in Library, see Enable SAML Authentication for MicroStrategy Library.

  1. Open the Workstation window.

  2. In the Navigation pane, click Environments.

  3. Right-click an environment and choose Configure SAML under Configure Enterprise Security.

  4. In step 1, enter a Entity ID.

    5. It is common to use "DEV", "QA", or "PROD" in the ID to distinguish between environments.

  5. Expand the Advanced then General menu options and edit the Entity Base URL to match your server URL, if needed.
  6. Generate the Library SPMetadata file:
    1. Click Download next to the SP Metadata file.

    2. Send the metadata file to your network or security team and ask them to integrate SAML support. For more information on integrating SAML support with Azure AD, see Integrating SAML Support with Azure AD.

      3. Ensure your network or security team names the application the same value that you entered in the Entity ID field.

    3. Retrieve the resulting metadata file from your network or security team and rename the file to IDPMetadata.xml.
  7. In step 2 of the Configure SAML Workstation dialog, upload the IDP Metadata file.

    You will need to perform additional steps for Assertion Attribute Mapping

    1. Open the IDP Metadata file and find the <auth:DisplayName>Groups section.
    2. Copy the URI.
    3. In step 1 of the Configure SAML Workstation dialog, expand the Advanced then Assertion Attribute Mapping menu options and paste the URI in Group Attribute.

    4. Repeat steps 1 through 3 for Display Name and Email. The IDP Metadata sections for these URIs are <auth:DisplayName>Display Name and <auth:DisplayName>Email.
    5. In step 1 of the Configure SAML Workstation dialog, expand the Advanced then Access Control menu options and enter the Azure transmits GUIDs group information in Admin Groups.

  8. Click Complete Configuration.
  9. Close the Configure SAML dialog.
  10. Go to the Library Admin control panel and under Authentication Modes, select Standard and SAML.

    11. For more information on accessing the Library Admin control panel, see Library Administration Control Panel.

    To configure SAML as the default authentication mode for users, see Set Default Authentication for Library Web in Workstation.

  11. Restart Tomcat.
  12. Access Library and confirm that you can log in with SAML.

Troubleshooting

If a user successfully logs in but does not have access to the Library content, ensure that the user group has the appropriate permissions.

Ensure the assertion attributes were correctly updated in the MstrSamlConfig.xml file as described in Integrating SAML Support with Azure AD. If they are not, you may need to manually edit the file.