Category Archives: Security

Configuring Okta Single Sign-on

security-blog

If you’re looking for a way to get started with securing your trees via Single Sign-on, you’ll first need to have an Identity Provider to manage your logins. Okta is a great service – it’s easy to set up, and very popular.  This article will show you how to get Okta and Zingtree working together.

Set Up Overview

Configuring SSO requires Okta and Zingtree to share information with each other:

  1. Okta needs information about Zingtree.
  2. Zingtree needs information about your Okta.

Once you have Zingtree and Okta successfully working together, you can mark any of your trees as “SSO restricted” via the Zingtree Settings tool to require a login to get access.

For the setup, we recommend keeping two browser tabs open – ope in Okta, and one in Zingtree.

Configuring Okta

To start, in the Zingtree top menu, go to Account, Single-Sign-on. You’ll see the parameters (specific to your organization) to share with Okta:

Let’s use this information to set up the Okta side:

  1. If you haven’t already created a free Okta account, do it now.
  2. Go to the Okta Dashboard.
  3. Click Add Applications under Shortcuts.
  4. Click Create New App.
  5. Choose SAML 2.0 as the sign-on method, and click Create.
  6. In the General Settings, give your application a name (like “Zingtree”), and click Next.
  7. Under SAML Settings, configure it as shown below.  For the Single Sign-on URL, use Zingtree’s Login URL. For the Audience URI, use Zingtree’s Entity ID.

  8. Click Next to finish the SAML setup.

Configuring Zingtree

First, let’s get some information from Okta:

  1. In Okta, click Applications from the top menu, and go to Applications.
  2. Click the new Zingtree application we created.
  3. Click Sign on, then View Setup Instructions. Keep this page open in a browser tab.
  4. Now go back to the Zingtree tab, and click Edit Identity Provider Data.
  5. For the Zingtree Entity ID, use the Okta Identity Provider Issuer.
  6. For the Zingtree Login URL, use the Okta Identity Provider Single Sign-On URL.
  7. Copy the Okta certificate into the Zingtree certificate field.
  8. Make sure Enable access restrictions on specified trees is checked in Zingtree.
  9. Click Save Identity Provider Settings.

Testing Your SSO Setup

Once you’ve set up your Identity Provider and Zingtree for SSO, you can test from Zingtree as follows:

  1. In Zingtree, go to Account, Single Sign-on.
  2. Click the orange Test Setup button at the lower right of the page.

From here. you can test logging into Okta from Zingtree.  If you’re already logged in, the test will just return your email or other identifier from Okta.  If you’re not yet logged in, the Okta’s login screen will appear, and then you will be returned to the Zingtree SSO test page after logging in.

Enabling SSO on Your Trees

Once SSO is working properly from your test, you can restrict access to any tree as follows:

  1. Go to My Trees, and select the tree that you want to require SSO login.
  2. Click the Settings tool.
  3. Check Require Single Sign-on (SSO) Login to Access.
  4. Click Update Settings.

This process has been tested, but if you’re having trouble getting Okta and Zingtree working together, please let us know!

Single Sign-On for Zingtree Decision Trees

security-blog

We’ve had several requests to incorporate Single Sign-on (SSO) into Zingtree, as a means of restricting access to trees.  Many customers have sensitive corporate processes or procedures encapsulated in their trees, and ensuring these trees are accessible only to certain employees can be invaluable.

Single Sign-on is a service provided by many vendors, including Okta, Microsoft (Active Directory / Azure), Google (G-Suite), Salesforce and more.  These services are known as Identity Providers.  A single log-in through an Identity Provider gives a user secure, authenticated access to applications provided by Service Providers like Zingtree.

Once you log in through your Identity Provider, you don’t need to re-enter your login credentials. SSO is a very convenient way to secure access to your applications, while not burdening end-users with extra hurdles.

Zingtree supports any service that is SAML 2.0 compliant, which is a common standard.

Set Up Overview

Configuring SSO requires your Identity Provider and Zingtree to share information with each other:

  1. Your Identity Provider needs information about Zingtree.
  2. Zingtree needs information about your Identity Provider.

SSO just needs to be set up once for your organization. Once you have Zingtree and your Identity Provider successfully working together, you can mark any of your trees as “SSO restricted” via the Settings tool to require a login to get access.

Configuring Zingtree for SSO

To start, in the Zingtree top menu, go to Account, Single-Sign-on. You’ll see the parameters (specific to your organization) to share with your Identity Provider:

Configure your Identity Provider with these parameters.

Next, click the blue button to Enter Identity Provider Data into Zingtree. The following screen appears:

Copy the rest of these settings from your Identity Provider.

If you’re ready to test, make sure Enable access restrictions on specified trees is checked.

Click Save Identity Provider Settings when finished.

Testing Your SSO Setup

Once you’ve set up your Identity Provider and Zingtree for SSO, you can test from Zingtree as follows:

  1. In Zingtree, go to Account, Single Sign-on.
  2. Click the orange Test Setup button at the lower right of the page.

From here. you can test logging into your Identity Provider from Zingtree.  If you’re already logged in, the test will just return your email or other identifier from your Identity Provider.  If you’re not yet logged in, the Identity Provider’s login screen will appear, and then you will be returned to the Zingtree SSO test page after logging in.

Enabling SSO on Your Trees

Once SSO is working properly from your test, you can restrict access to any tree as follows:

  1. Go to My Trees, and select the tree that you want to require SSO login.
  2. Click the Settings tool.
  3. Check Require Single Sign-on (SSO) Login to Access.
  4. Click Update Settings.

Release Notes

SSO has been tested with a variety of Identity Providers.  If you’re having trouble configuring with a specific service, please let us know!

How to Use Existing Login Credentials to Restrict Access to Decision Trees

security-blog

Some of our customers have asked for an extra level of security for their trees, such that only people authenticated via a corporate intranet can access it. This article shows how it’s done, for ANY login system on ANY intranet.

Universally restricting access is accomplished by having an internal server access the tree via a server-side include, rather than via a user’s browser via embedded code in the page. This means that all accesses of the tree come from a single corporate IP address or range. Zingtree has an IP filtering option for any tree, so it’s easy to restrict access and use whatever authentication processes are already in place on the corporate intranet.

The method described here can work with organizations using SSO (Single Sign On), or any other login system.

Here are the basics:

  1. Restrict access to your tree to just the IP address of your server(s). This is done via Zingtree’s Settings tool.
  2. Create a web page for the tree to display on your internal server. This page will include the necessary JS and CSS files to show the tree. Load your tree using a server-side call, instead of embedding it into an iFrame or linking to a URL hosted at Zingtree.com.

Examples

Here’s PHP source code for a simple server-side include.

See how this page appears.

Technical Details

The example above is written using PHP, but any server-side scripting language can be used.  Our demo is a template around which a URL for a tree can be loaded. This template contains all the CSS and JS files needed to display a functioning Zingtree decision tree.

Zingtree is built on top of Bootstrap 3, so the basic Bootstrap files are loaded.  There are a few custom controls as well included in the template.

You can swap out the PHP with Python, Ruby, Perl, or any other scripting language you choose.
Have any questions or comments about making your trees more secure? Talk to us!