Enabling SSO with SAML
- Rumena Zlatkova (Deactivated)
- Bala Harish A(AC)
- Brian Guetzlaff
- Kyle Miller (Deactivated)
By implementing SAML, users can log in to Swarm browser components (Swarm UI and Content UI) using the exiting credentials from another source — which is known as single sign-on (SSO). SAML (Security Assertion Markup Language) is an open standard that allows identity providers (IdP) pass along authorization credentials to service providers (SP). The popularity stems from the all-around benefits:
User Friendly - SAML simplifies life for users with password elimination, fast logins, and automatically renewing sessions.
IT Friendly - SAML streamlines life for IT with centralized authentication, strong digital signatures, and easy directory integration.
With SAML integration, Content Gateway becomes a Service Provider in the authentication flow, interacting with the IdP to authenticate users. (v7.1)
Version Requirements
For SAML authentication support, upgrade to these or newer versions: Content Gateway 7.1, Content UI 7.0, and Swarm UI 3.0.
How SAML Works in Gateway
While the SAML 2.0 single sign-on (SSO) standard is broad and varied, this section covers only the aspects needed to achieve authentication with Gateway.
Gateway allows use of trusted third-party IdPs to authenticate interactive users for browser use. This is the process:
When a user accesses Swarm UI or Content UI in an unauthenticated browser session, Gateway redirects them to the login page for the identity provider (IdP).
The user authenticates with the IdP.
The IdP redirects back to Gateway with digitally signed proof (the assertion) of successful authentication on success.
Gateway decrypts the assertion, extracts user and group information, and generates a Swarm token.
Gateway redirects back to the original URL with a cookie that carries the token UUID for the rest of the browser session.
Swarm supports these SAML 2.0 bindings:
From Gateway to IdP: both SSO (sign-on) and SLO (log-out) via
HTTP-RedirectFrom IdP to Gateway: SSO assertions via
HTTP-POST, SLO responses viaHTTP-Redirect
Only these interactions are supported:
Signed and encrypted assertions from the IdP
Gateway-initiated requests
Verified Identity Providers
Gateway's SAML support has been verified with these leading IdPs. Following are features and differences found among them.
IdP | Features | Limitations |
|---|---|---|
| ||
|
| |
|
|
Configure the IDSYS with an empty URL for SLO if the IdP has incomplete Single Logout (SLO) support. Gateway deletes the token without contacting the IdP upon logout. A subsequent login may not require the user to enter credentials.
When Tokens Expire
Gateway creates a token with an expiring specified by the IdP in the Assertion if authentication with the IdP succeeds. Usually this defaults to 1440 minutes, which is one day.
Gateway falls back to the configured expiration, which is the [gateway] tokenTTLHours if it cannot determine when the session expires from the Assertion. This expiration defaults to one day.
Implementing SAML
As with other types of Gateway authentication (such as PAM and LDAP), a root IDSYS must exist but additional ones can be configured. Add an IDSYS for a specific domain or tenant if single sign-on is desired. See Gateway Identity System.
Best Practice
Select a strategy to guarantee super users can always gain access in case the SAML method is misconfigured or goes offline if implementing global SSO. These are two approaches:
Company-Wide Tenant for SSO - Assign super users to root-level PAM:
Root IDSYS: Using Linux PAM, define super users as Linux users on the Gateway servers.
Tenant IDSYS: Using SAML, enable SSO for all users under an organization-wide Content UI tenant (see step 4).
Swarm UI access: Grant storage admin access to additional users as needed from the root IDSYS.
Special Domain for Super Users - Assign super users to a domain-level PAM, and have them browse to the DNS host name that matches the storage domain where the PAM IDSYS resides:
Root IDSYS: Using SAML, enable SSO for all users via the root IDSYS (see step 3).
Domain IDSYS: Using Linux PAM, define super users as Linux users the Gateway servers.
Swarm UI access: Grant storage admin access to additional users as needed from the special domain.
The Gateway configuration and the setup required by the IdP need to be completed to enable SAML login capability. None of the Gateway-side configuration requires restarting of Gateway services.
In the administrative portal for the IdP, start setting up SAML to obtain the URLs and public/private keys needed for configuring Gateway.
Root SSO, if applicable:
Edit the root IDSYS and configure it for SAML. See IDSYS SAML Fields, below, and IDSYS Document Format.
Edit the root Policy and verify it grants the permissions needed.
See SAML Groups for ACL Policies, below, and help on the Policy Document.
Tenant/Domain SSO, if applicable: To have separate SSO for specific tenants or domains, complete that setup in the Content UI.
For each tenant or domain,Navigate to Properties (gear icon), and scroll to Identity Management.
See Setting Identity Management.Uncheck Inherited and from the Templates drop-list select SAML.
Configure the SAML. See IDSYS SAML Fields, below.
Obtain the attributes needed to complete the remainder of the setup with the identity provider.
Below the script area, under Identity Provider (IdP) Resources, click the links.
Open, copy, and store the Service Provider Attributes, which include the endpoints needed for assertions and logouts.
Download the XML file version to the right and use that if that service provider can import SAML metadata.
Open the Permissions tab and verify it grants the permissions needed.
See SAML Groups for ACL Policies, below, and Setting Permissions.
Back in the administrative portal for IdP, complete any remaining setup using the values and endpoints from Gateway.
Verify single sign-on is working as expected:
When a user browses to a storage domain, they see the normal login page unless that domain has a SAML IDSYS (inherited or explicit), which triggers the SAML login process.
Important: Gateway uses the IDSYS of the storage domain that matches the DNS host name in the URL.If the name they type includes a context suffix (jdoe+tenant or jdoe@domain), the applicable IDSYS is checked.
If a SAML login is triggered, the password field is disabled and the Login with SSO button takes them to the identity provider to complete login.
IDSYS SAML Fields
This is the streamlined template filled out to create an IDSYS for SAML in the Content UI, to apply to a tenant or domain. It has fewer fields because the Content UI generates the set of Service Provider ("sp*") fields automatically:
{
"saml": {
"cookieName": "token",
"tokenPath": "/.TOKEN/",
"entity": "Your root organization Service Provider entity ID.",
"idpEntityId": "The Identity Provider entity ID.",
"idpSsoUrl": "The Identity Provider Single-Sign-On (SSO) URL.",
"idpSloUrl": "The Identity Provider Single-Log-Out (SLO) URL, if applicable.",
"groupAttrName": "User attribute name where group information can be found, if applicable.",
"idpCert": ""
}
}This is a sample IDSYS.json configuration for authenticating via OneLogin, which shows the Service Provider ("sp*") fields:
{
"saml": {
"cookieName": "token",
"tokenPath": "/.TOKEN/",
"spEntityId": "https://atomic.com/caringo",
"spAcsUrl": "http://gw.atomic.com:8888/_admin/saml/login",
"spSloUrl": "http://gw.atomic.com:8888/_admin/saml/logout",
"idpEntityId": "https://app.onelogin.com/saml/metadata/9f23...b1cda",
"idpSsoUrl":"https://caringo.onelogin.com/trust/saml2/http-redirect/sso/9f2...cda",
"idpSloUrl":"https://caringo.onelogin.com/trust/saml2/http-redirect/slo/125...502",
"groupAttrName": "group1, group2",
"idpCert": "MIID3DCC...N8U8nVLp7Ka0="
"spPrivateKey": "---BEGIN PRIVATE KEY---\nMII...Yts=\n---END PRIVATE KEY---\n"
}
}This is how these fields are used and how they differ between a root IDSYS and one created through the Content UI:
All IDSYS Fields | Content UI Template | Source | |
|---|---|---|---|
cookieName | cookieName | The name of the cookie that carring the token UUID. | |
tokenPath | tokenPath | The URL used to create the Swarm token. | |
spEntityId | entity (used in final generated value) | For the IdP, identifies this particular SAML IDSYS instance. This must be a unique and valid URL. Each must be unique if multiple tenants and domains exist and Gateway is configured with multiple SAML IDSYS instances. Tip: The Content UI generates the final spEntityId value and guarantees uniqueness for the user. A single "entity" value may be reused across tenants and domains. | |
spAcsUrl | (generated) | After a successful login with the IdP, this is the redirect target, the URL where Gateway receives the Assertion. For any IDSYS other than the root, the URL path must include | |
spSloUrl | (generated) | After a successful logout from the IdP, this is the URL where Gateway expects a callback. For any IDSYS other than the root, the URL path must include | |
idpEntityId | idpEntityId | IdP | The unique ID of the IdP. This URL comes from the IdP during the administrative setup phase. |
idpSsoUrl | idpSsoUrl | IdP | Where Gateway redirects to initiate a login at the IdP. This information comes from the IdP during the administrative setup phase. Always choose |
idpSloUrl | idpSloUrl | IdP | Where Gateway redirects to initiate a logout at the IdP. This information comes from the IdP during the administrative setup phase. Always choose Leave this blank if the IdP does not support Single Logout (SLO). Gateway deletes the token without contacting the IdP upon logout. |
idpCert | idpCert | IdP | The IdP's X.509 public key certificate, encoded as Privacy-Enhanced Mail (PEM). This information comes from the IdP during the administrative setup phase. |
wantAssertionsEncrypted | Whether to encrypt the Assertion sent from the IdP. Enabling encryption requires certificates of public/private key configuration. Logins get this error if this is enabled but both parts of the key pair are not configure :
| ||
spPrivateKey | IdP | Required when encrypting Assertions. Set this to the private key for this SAML IDSYS instance. The IdP must be configured with the matching public key used to encrypt Assertions. The Gateway decrypts using this private key, implementing a trust relationship without the complexity of certificates. Both keys must be configured during the administrative setup phase. Keys must be in Public-Key Cryptography Standards (PKCS) #8 format. | |
groupAttrName | groupAttrName | IdP | (Optional) List of one or more names to be treated as user group attributes, based on groups maintained by the IdP. |
groupSeparator | IdP | Character that separates multiple group attribute names in the list. Defaults to comma. |
These fields are also supported in the IDSYS JSON config:
spCert
nameIdEncrypted
authRequestSigned
logoutRequestSigned
logoutResponseSigned
signMetadata
wantMessagesSigned
wantAssertionsSigned
wantNameIdEncrypted
SAML Groups for ACL Policies
To avoid having to name every user, Gateway authorization policies typically refer to groups. To skip manual maintenance of group membership, Gateway automatically assigns the SAML users to groups referenced in policies, and it also allows importing groups. These are the types of groups users can belong to:
Scope | Group Name | Group Examples | About this Group |
|---|---|---|---|
Global | SAMLUsers |
| Every user authenticated via SAML joins this default group. |
Domain | <domain> | Every user who shares the same jdoe@gmail.com belongs to group gmail.com. | |
Attribute | <attribute>
|
| Add attribute names to the Assertions to reference existing groups. Set the field When an Assertion includes attribute names, each name listed becomes a group that the user joins. For any group names in the form |
Group Support
All major IdPs discussed here (OneLogin, Okta, and Google) support groups via these custom attribute names.
Troubleshooting SAML
Edit the configuration to enable SAML-specific debugging:
Edit the global SAML properties file on the Gateway server.
Enable debug mode:
onelogin.saml2.debug = trueNo restart of the Gateway service is required; settings are reloaded for each login request.
Repeat these steps to disable debug level once debugging is finished.
Global SAML Properties
Gateway installs with a global SAML properties file that uses the open source toolkit from OneLogin, and it supports deployments to all IdPs. There is no need to use it except for troubleshooting with DataCore Support.
This is a version of the properties file with the comments trimmed out, so the settings it manages can be focused on :
Properties, Trimmed
onelogin.saml2.strict = true | These are rejected if enabled:
|
onelogin.saml2.debug = false | Debug mode allows error printing if enabled. Use only during troubleshooting. |
SP data | Service Provider Data being deployed |
|---|---|
[CONFIG] onelogin.saml2.sp.entityid = | Identifier of the SP (service provider) entity, which must be a URI. |
[CONFIG] onelogin.saml2.sp.assertion_consumer_service.url = | Specifies info about where and how the This is the URL location where the <Response> from the IdP return to Gateway. |
onelogin.saml2.sp.assertion_consumer_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST | Specifies which SAML protocol binding to use when returning the For this endpoint, the Toolkit only supports the |
[CONFIG] onelogin.saml2.sp.single_logout_service.url = | Specifies where to return the |
onelogin.saml2.sp.single_logout_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect | Specifies which SAML protocol binding to use when returning the <LogoutResponse> or sending the <LogoutRequest> message. For this endpoint, the Toolkit only supports the |
onelogin.saml2.sp.nameidformat = | Specifies constraints on the name identifier to be used to represent the requested subject. Gateway supports " |
[CONFIG] onelogin.saml2.sp.x509cert = | Usually the X.509 certificate and the private key of the SP are provided by files placed at the The private key requires
|
IdP data | Identity Provider Data to connect with our SP |
[CONFIG] onelogin.saml2.idp.entityid = | Identifier of the IdP entity (must be a URI) |
[CONFIG] onelogin.saml2.idp.single_sign_on_service.url = | SSO endpoint info of the IdP. (Authentication Request protocol) URL Target of the IdP where the SP sends the Authentication Request Message |
onelogin.saml2.idp.single_sign_on_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect | SAML protocol binding to be used when returning the <Response> message. For this endpoint, the Toolkit only supports the |
[CONFIG] | SLO endpoint info of the IdP. URL Location of the IdP where the SP sends the SLO Request |
[CONFIG] | (optional) SLO Response endpoint info of the IdP. URL Location of the IdP where the SP sends the SLO Response. The value for |
onelogin.saml2.idp.single_logout_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect | SAML protocol binding to be used when returning the <Response> message. For this endpoint, the Toolkit only supports the |
[CONFIG] onelogin.saml2.idp.x509cert = | Public X.509 certificate of the IdP. |
onelogin.saml2.idp.certfingerprint = onelogin.saml2.idp.certfingerprint_algorithm = sha1 | Use a fingerprint rather than use the whole X.509 certificate. Generate it with a command ( The certFingerprintAlgorithm is required to allow the toolkit to know which Algorithm was used if a fingerprint is provided. Possible values:
|
Security Settings | |
[CONFIG] | Whether the nameID of the <samlp:logoutRequest> sent by this SP is encrypted. |
[CONFIG] onelogin.saml2.security.authnrequest_signed = false | Whether the <samlp:AuthnRequest> messages sent by this SP are signed. The Metadata of the SP offers this information. |
[CONFIG] onelogin.saml2.security.logoutrequest_signed = false | Whether the <samlp:logoutRequest> messages sent by this SP are signed. |
[CONFIG] onelogin.saml2.security.logoutresponse_signed = false | Whether the <samlp:logoutResponse> messages sent by this SP are signed. |
[CONFIG] onelogin.saml2.security.want_messages_signed = false | Whether the <samlp:Response>, <samlp:LogoutRequest> and <samlp:LogoutResponse> elements received by this SP must be signed. |
[CONFIG] onelogin.saml2.security.want_assertions_signed = false | Whether the <saml:Assertion> elements received by this SP must be signed. |
[CONFIG] onelogin.saml2.security.sign_metadata = | Whether the Metadata of this SP must be signed. Use either null (for not signing) or |
[CONFIG] onelogin.saml2.security.want_assertions_encrypted = false | Whether the Assertions received by this SP must be encrypted. |
[CONFIG] onelogin.saml2.security.want_nameid_encrypted = false | Whether the NameID received by this SP must be encrypted. |
onelogin.saml2.security.requested_authncontext = urn:oasis:names:tc:SAML:2.0:ac:classes:Password | Authentication context. If empty, no AuthContext is sent in the AuthNRequest. Accepts one or more comma-separated values. |
onelogin.saml2.security.onelogin.saml2. | Allows the |
onelogin.saml2.security.want_xml_validation = true | Whether the SP validates all received XML. Required: |
onelogin.saml2.security.signature_algorithm = | Algorithm that the toolkit uses for the signing process. Options: |
Organization and Contacts | |
onelogin.saml2.organization.name = onelogin.saml2.contacts.technical.given_name = |
© DataCore Software Corporation. · https://www.datacore.com · All rights reserved.