Single Sign-On Integration in the Reveal Cloud
The Reveal Cloud supports integration with single-sign on (SSO) through both SAML and OpenID Connect (OIDC) authentication methods. This integration allows organizations to easily control access to the Reveal application without requiring unique credentials.
SSO is currently supported for Reveal Review and Reveal AI. Integrated SSO support is currently under development within Brainspace. Reveal Processing is not supported by SSO at this time.
Steps for Integrating SSO
Reveal SSO integration occurs through the open source Identity and Access Management solution Keycloak. You can read more about Keycloak at https://www.keycloak.org. We also have some additional information about our integration with Keycloak at the following Reveal help site: https://help.revealdata.com/en/Single-Sign-On-Installation---Integration-Guide.html.
Request the SSO metadata file for Reveal from your customer success contact. You will need to state whether this will be for SAML or OIDC authentication.
Import the metadata file into your identity provider (IDP) to create a secure connection between Reveal and your organization.
Provide the URL of your SSO server to your Reveal customer success contact. This information will need to be provided so that Reveal’s Keycloak server is able to authenticate user credentials.
SSO Workflow
After the connection between Reveal and your organization’s IDP is set, user accounts will need to be created and permissions assigned. Creating an initial SSO account will require the use of a local administrator account. After the first SSO account is created and administrative permissions assigned, all new users can be created with SSO credentials.
A SSO user will go to the unique URL for your environment (https://client.revealdata.com) and click on the link next to the credentials boxes referencing your organization’s SSO:
The user will be prompted to input their SSO credentials per your organization’s policy.
The user will be prompted to complete two-factor authentication.
The user will be asked to confirm their name and email address. This is the only personal information stored in Reveal’s IDP.
The user will receive a message indicating that they currently do not have access to any projects. This means the user was able to authenticate successfully and their account is now available for a Reveal administrator to grant access to one or more projects. Until access is specifically granted, the user will not be able to see any projects or documents within Reveal Review. Access to Reveal AI will be handled based on project permissions and will require no additional actions by an end user.