Single Sign-On

How to sign users into Yurbi from your application with no second login — the standard answer to 'how do we do SSO?'

The short answer

We get asked constantly: how do we do single sign-on with Yurbi? For almost every integration the answer is the session-token flow — you already authenticate the user in your own app, so:

1. Call DoLogin to get a session token.
2. Use that token to either send the user into the full Yurbi interface, or embed a specific dashboard or report in your app.

No separate Yurbi login screen, no extra credentials for the user.

Want your identity provider (e.g. Microsoft Entra ID) to authenticate users and have Yurbi log them in automatically — without your app calling DoLogin? That's a special case: see Header-based SSO (advanced). Most integrations don't need it.

1. Get a session token

Call DoLogin (do this server-side so credentials are never exposed in the browser):

curl -X POST "https://your-yurbi-server.com/api/login/DoLogin" \
  -H "Content-Type: application/json" \
  -d '{ "bolForceLogin": true, "isGuest": false, "UserId": "user", "UserPassword": "password" }'

The token comes back in LoginSession.SessionToken. (For more on tokens, see Authentication & sessions.)

2. Option A — Sign users into the full Yurbi interface

Append the token to sso.html and the user lands inside Yurbi, already signed in. By default they land on the Dashboard; add h to choose a starting view:

Dashboard (default):  https://your-yurbi-server.com/sso.html?s={sessionToken}
Library:              https://your-yurbi-server.com/sso.html?s={sessionToken}&h=1
Builder:              https://your-yurbi-server.com/sso.html?s={sessionToken}&h=2

Use this as the target of a button or redirect in your app. (Path shown is Linux/Docker; on a default Windows install use /yurbi/sso.html, and with the IIS root web configured it's /sso.html — see Platform paths.)

3. Option B — Embed specific content

Use the same token to drop a single dashboard or report into your own page via an iframe:

https://your-yurbi-server.com/embed.html?t=d&i={dashboardId}&s={sessionToken}

The Embedding guide covers this in full — finding IDs, iframes, and report prompts.

4. Keep the session alive

A token expires at its SessionExpir time. For a long-lived session or embed, call RefreshSession before it expires to extend it, and CheckSession to test validity.

Endpoints used

• DoLogin — mint the token
• RefreshSession — keep it alive
• CheckSession — validate it