IndoorAtlas supports OAuth2-based Single Sign-On (SSO) for customers who have their own identity providers. With SSO, users can log in to the IndoorAtlas web tool using their existing credentials in your organization's identity provider, for example Active Directory, and the credentials for the IndoorAtlas account need not be shared.

We support the OpenID Connect protocol, and the OAuth2-based authentication available in AD FS 2012 (see here).

Configuring SSO

Configuring your identity provider

If you are using the OpenID Connect protocol, define a scope with title api://<your_client_id>/IndoorAtlas.

For both SSO options, create a group called IndoorAtlas and assign to this group all users for whom you wish to grant access to your IndoorAtlas account.

Note: Currently we do not support role-based access control, and users logging in through your identity provider will have full access to your account.

Configuring your IA account

To configure your account for SSO, navigate to your account page in the IndoorAtlas web tool and open the Single Sign-On tab.

Choose which protocol your identity provider uses (OpenID Connect or the OAuth2 flow as realized in ADFS 2012).

Choose which page to open by default for remote logins. Options are the web tool landing page and the crowd density dashboard, the latter being available only for IndoorAtlas GroundSage users.

Enter your identity provider details. The required fields depend on the used protocol. For OpenID Connect:

  • Authorization URL - This URL (often suffixed /oauth2/authorize) is the OAuth2 authorization URL of your identity provider which redirects the user to the login page
  • OpenID Configuration URL - This is the publicly available OpenID configuration page of your identity provider
  • Client ID - This is the OAuth2 client ID

For ADFS 2012:

  • Authorization URL - OAuth2 authorization URL (redirects to your identity provider login), used to fetch authorization code
  • Token URL - Used by our authentication backend to fetch access token using the authorization code
  • AD FS Metadata URL - Publicly available AD FS federation metadata URL
  • Client ID - The OAuth2 client ID

After the above configuration is submitted, a sign-on URL is generated and shown at the bottom of the page. This URL is of the form<your_username> and can be used by people in your organization to access your IndoorAtlas account.