IndoorAtlas supports OAuth2-based Single Sign-On (SSO) for customers who have their own identity providers. With SSO, users can log in to the IndoorAtlas web tool using their existing credentials in your organization's identity provider, for example Active Directory, and the credentials for the IndoorAtlas account need not be shared.
Configuring your identity provider
If you are using the OpenID Connect protocol, define a scope with title api://<your_client_id>/IndoorAtlas.
For both SSO options, create a group called IndoorAtlas and assign to this group all users for whom you wish to grant access to your IndoorAtlas account.
Note: Currently we do not support role-based access control, and users logging in through your identity provider will have full access to your account.
Configuring your IA account
To configure your account for SSO, navigate to your account page in the IndoorAtlas web tool and open the Single Sign-On tab.
Choose which protocol your identity provider uses (OpenID Connect or the OAuth2 flow as realized in ADFS 2012).
Choose which page to open by default for remote logins. Options are the web tool landing page and the crowd density dashboard, the latter being available only for IndoorAtlas GroundSage users.
Enter your identity provider details. The required fields depend on the used protocol. For OpenID Connect:
- Authorization URL - This URL (often suffixed /oauth2/authorize) is the OAuth2 authorization URL of your identity provider which redirects the user to the login page
- OpenID Configuration URL - This is the publicly available OpenID configuration page of your identity provider
- Client ID - This is the OAuth2 client ID
For ADFS 2012:
- Authorization URL - OAuth2 authorization URL (redirects to your identity provider login), used to fetch authorization code
- Token URL - Used by our authentication backend to fetch access token using the authorization code
- AD FS Metadata URL - Publicly available AD FS federation metadata URL
- Client ID - The OAuth2 client ID
After the above configuration is submitted, a sign-on URL is generated and shown at the bottom of the page. This URL is of the form app.indooratlas.com/sso/<your_username> and can be used by people in your organization to access your IndoorAtlas account.