...
Info | ||
---|---|---|
| ||
Security Assertion Markup Language (SAML) |
...
allows users exchange authorization data between different parties, in particular, between an identity provider and a service provider. The Datameer X SAML Authenticator is designed to allow Datameer X to act as a Service Provider with a SAML SSO (Single Sign On) environment. This means that authentication and identity management happen externally to the Datameer X instance. These services are provided by an |
...
Identity Provider which authenticates end users and issue assertions containing subject and session information along with arbitrary attributes about the user. The SAML Authenticator plug-in exposes some extension points to allow customers to provide the appropriate Datameer X user details (group memberships, roles, username, email) based on the incoming assertion. |
Table of Contents |
---|
Requirements
Having an Authentication Repository
Info | ||
---|---|---|
| ||
The SAML authenticator requires an authentication repository that resolves the available users to your Datameer X instance. The SAML authentication repository should have a signed assertion signature, and the clocks between the authentication side and the Datameer X side need to be in sync. The authentication side sends an expiration time to their response token. If the clocks are not in sync, the token can be expired or invalid. |
...
Having the SDK Extension Implemented
Info | ||
---|---|---|
| ||
Note that you need to implement SAML SSO SDK Extensions to configure SAML authentication. |
Configuring a SAML
...
Authentication
To configure a SAML authentication:
- Click on the the "Admin tab > Authentication.
- Click Edit.
- Select RemoteAuthenticationSystem and choose SAML from the menu.
- Provide or provide the path to your IdP Metadata (which includes endpoint URLs, binding types, attributes, and security-policy information.)
- Enter the Uniform Resource Identifier (URI) from the Service Provider" tab and select "Authentication". The page 'Authentication' opens.
- Click "Edit". The authentication configuration page opens.
- Select "Remote Authentication System" and select "SAML Authenticator" from the drop-down.
- Click "Next".
- Select from where to load the metadata.
INFO: The documentation describes the case 'Load Metadata from File on the Datameer Server File System'.
INFO: You can upload a file, load the metadata from the Datameer X Server File System or load it from a HTTP URL.
- Enter the fully qualified URI of the Datameer server.
INFO: If needed, activate the checkbox "Load Balancer Mode" to enable SAML, if Datameer X is running behind a load balancer that terminates SSL/ TLS. If you are using a third-party single sign-on application, add add '/saml/SSO to ' to the end of the URI. Then fill in the KeyStore and Service Provider information.
Learn more about setting up a Java KeyStore in Datameer's Knowledge Base. - Select a Directory Service that you set up through the SAML SSO SDK Extensions.
- In the Users and Groups boxes, enter created user/groups for authentication permission.
- Select the user provider with which to authenticate.
- The advanced SSO options give administrators access control options for authentication.
- Caching is turned on automatically, but you can turn it off or edit the interval for caching on this screen. To turn off caching, click Edit and select an interval of 0.
-
- If using a KeyManager, enter the 'KeyStore Path', 'KeyStore Password', 'Service Provider Key Alias' and the 'Service Provider Key Passphrase'.
INFO: A KeyManager is needed when signing messages is enabled.
- Select the "Saml Ldap Authenticator Repository" as the directory service.
INFO: You can set up this directory service through the SAML SSO SDK Extensions.
- Enter the server URL and enter the username and password.
INFO: If needed, select "Use default user" instead to use the default user to connect to the server.
- Enter the search base query and the user definition query.
INFO: If needed, enter the filter query for the groups.
- If needed, define the pagination control.
- Enter the username attribute that defines a username and must be unique across all users.
- Enter the email attribute.
- If needed, enter the attributes for impersonation and/ or salt.
- Enter the attribute for group names.
- If needed, enter further group related attributes as well as group related fields, e.g. 'Virtual Group'.
INFO: The checkbox 'Mixed mode' is enabled by default and enables both internal user management as well as SAML. Having this disabled, the internal user management is disabled.
- View that the SAML attribute user provider is enabled.
- If needed, enable the checkbox "Use roles from Directory".
INFO: The roles for a user can be defined in the saml assertion or in the user directory. By default the roles comming with the saml assertion are used. In case these roles are not defined in saml, we can read these rules from the directory configured above.
- If needed, enter properties for the saml username, email, roles and groups assertion.
INFO: The default 'SAML Attribute User Provider' uses the following SAML attributes: 'datameer.user.name' as username, 'datameer.user.email' as email, 'datameer.user.groups' as list of groups and 'datameer.user.roles' as list of datameer roles.
- If needed, change the advanced SSO options to your needs.
INFO: They provide access control options for the authentication. - Confirm with "Save". The configuration is finished.
Enabling SAML Debugging
To enable debugging of SAML edit the the 'log4j-production.properties' file and add the following:
No Format |
---|
log4j.category.com.<package_name>=ERROR |
...
#openSAML |
...
log4j.category.org.opensaml=ERROR |
...
log4j.category.org.springframework.security.saml=ERROR |
...
log4j.category.org.springframework.security.web.authentication=ERROR |