Authentication

To authenticate users in SEI, you must configure an authentication provider and map users to that provider. Before you start, make sure that SEI has been registered with your authentication provider to obtain the parameters required for OAuth or SAML2 protocols.

Enable Login Settings to activate authentication with an external provider. You can then configure one or more providers under the Security section.

Protocol	Description
OAuth	Supports authentication via OAuth 2.0, which lets users sign in with credentials managed by an external identity provider
SAML2	Supports authentication using SAML 2.0, enabling integration with identity providers such as Microsoft Azure, Okta and OneLogin.

Add a provider

1. From the navigation panel, click the gear icon at the bottom. The Administration page opens.
2. Select Security, then Authentication.
3. Click the + icon to add a new provider.
4. Select the protocol between OAuth and SAML2.
5. Click Create.
   The new provider appears in the Providers list and opens an empty form for configuration.
6. Under the General tab, fill in the required field.
7. Click Save.
8. Select the Users tab, click the + icon, and map SEI users to the new provider. Select all applicable users and click Add.
   The selected users appear in the Users list.
9. Click Save.

important

If a user is not listed or mapping values are not set correctly, that user will not be able to log in to SEI.

General tab

OAuth general properties

Field	Description
Activate	Toggle to make the provider available on the login page. When enabled, a new button appears for users under External Accounts.
Description	Specify the label shown for the provider on the login page. Change from the default New Provider to something meaningful for your users.
Client ID	Enter the unique public identifier provided by the authorization server.
Client Secret	Enter the secret assigned by the authorization server. This value is hidden after saving for security.
Discovery Endpoint	(Optional) Enter the endpoint to auto-populate OAuth fields from the provider’s metadata (/.well-known/openid-configuration). After you fill this, click Discover to fetch Authorization, Token, and User Info endpoints, and load available scopes and claims.
Authorization Endpoint	Enter the URL where users are redirected to authenticate (/authorize).
Token Endpoint	Enter the URL used to obtain access tokens (/token).
Scope	Define permission scopes for the Web Server. Typical values are openid, email, offline_access, but required scopes depend on your provider.
Redirect URLs	List the URLs for the Web Server and Excel Add-in to which the authentication server redirects after login. For Excel Add-in, specify the correct local port.
User Info Endpoint	Enter the URL to retrieve user profile information (/userinfo).
User Identifier	Enter the claim–such as email–used to map external users to SEI users.
Prompt	Specify the authentication prompt behavior. Options include: login – Always display the Sign in window. consent – Ask users to approve permissions each time. select_account – Let users choose from past accounts. none – Suppress prompts if already authenticated. Other values may be available per OAuth provider. To force authentication at each login, use Force reauthentication. The Prompt setting is not a security control.
Force reauthentication	Enable to require users to re-enter credentials each time or after a set period (in seconds). For example, delay 0 requires credentials every time; 21600 requires every 6 hours. Maximum value is 86400 seconds. Not all providers support this.
Allow remember me	Enable to let browsers remember authentication and keep users signed in.

For an example, see OAuth Example.

SAML2 general properties

Field	Description
Activate	Toggle to make the SAML2 provider available on the login page. When enabled, a new button appears under External Accounts.
Description	Specify the label shown for the provider on the login page. Change from the default New Provider to something meaningful for your users.
Discovery Endpoint	(Optional) Specify the endpoint to auto-populate SAML2 fields using provider metadata. Click Discover to retrieve and fill Provider Entity ID, Provider Login Endpoint, and Provider Logout Endpoint.
Entity ID	Enter the unique identifier for SEI. Must match the Identifier (Entity ID) or Audience URI used in your SAML2 provider (e.g., Azure or Okta). This field is auto-filled if available.
Provider Entity ID	Enter the Application ID provided by the SAML2 provider. This identifies which app is used to connect to SEI. Must match the Azure ID Identifier or Okta ID Provider Issuer. This field can be auto-filled by Discover.
Provider Login Endpoint	Enter the login URL from your SAML2 provider (matches Azure/Okta configuration). Can be auto-filled by Discover.
Provider Logout Endpoint	(Optional) If provided, users are logged out from both SEI and the SAML2 provider. Can be auto-filled by Discover.
Saml2 ACS URL	Specify the Reply URL that redirects users back to the Web Server or Excel Add-in after a successful login. Must match the SAML2 provider’s Reply URL/Assertion Consumer URL. Auto-filled for Web Server. For Excel Add-in, specify the correct local port.
Logout URL	(Optional) Reply URL that redirects users to the login page after logging out. Unlike Provider Logout Endpoint, the SAML2 provider session remains active. Auto-filled for Web Server.
Certificate	Upload the SAML2 certificate (must use SHA-256). Drag and drop the file created/downloaded from Azure or Okta.
User Identifier	Enter the user claim used for mapping (such as email). This determines which value from the SAML2 response maps to the SEI user.
Force reauthentication	Enable to require users to re-enter credentials each time or after a set period (in seconds). For example, delay 0 requires credentials every time; 21600 requires every 6 hours. Maximum value is 86400 seconds. Not all providers support this.
Allow remember me	Enable to let browsers remember authentication and keep users signed in.

For an example, see SAML2 Example.

Users tab

In the Users tab, you can map, manage, and review SEI users whose login credentials are validated by the authentication provider. Use this area to ensure user identifiers are correct for successful authentication. For user creation instructions, see Users.

Field	Description
Username	Displays the SEI username used to log in.
Name	Displays the SEI user's display name associated with the username.
Email	Displays the SEI user's email address.
User Identifier	Specifies the value expected from the OAuth or SAML2 provider for user mapping. This is the only editable field. For example, if the User Identifier claim (set under the General tab) is email, enter the user's email address that the provider will return for the claim.