Enabling SAML authentication for Unravel Web UI
To use SAML you must configure both your Unravel Host and SAML server.
Configure Unravel host
Stop Unravel
<Unravel installation directory>/unravel/manager stop
Set the following properties:
<Unravel installation directory>/unravel/manager config properties set com.unraveldata.login.mode saml <Unravel installation directory>/unravel/manager config properties set com.unraveldata.login.saml.config
</path/to/saml.json>Note
For more SAML Authentication properties, see SAML properties.
Apply the changes.
<Unravel installation directory>/unravel/manager config apply
Edit
saml.jsonfile. Following is a sample of saml.json file{ "entryPoint":"http://myHost.unraveldata.com:9080/simplesaml/saml2/idp/SSOService.php", "issuer":"localhost", "logoutUrl":"http://myHost.unraveldata.com:9080/simplesaml/saml2/idp/SingleLogoutService.php", // generated by saml host "cert":"MIIDXTCCAkWgAwIBAgIJALmVVuDWu4NYMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdAcQf2CGAaVfwTTfSlzNLsF2lW/ly7yapFzlYSJLGoVE+OHEu8g5SlNACUEfkXw+5Eghh+KzlIN7R6Q7r2ixWNFBC/jWf7NKUfJyX8qIG5md1YUeT6GBW9Bm2/1/RiO24JTaYlfLdKK9TYb8sG5B+OLab2DImG99CJ25RkAcSobWNF5zD0O6lgOo3cEdB/ksCq3hmtlC/DlLZ/D8CJ+7VuZnS1rR2naQ==", "privateCert":"-----BEGIN PRIVATE // generated by unravel node KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDEt4Ma2k4DUkoW\nG9QDHUBnY7S/iS/+u2BjPZqUG2JktzYZl30J05zA6i642i2VDn8eUIPHqt2Hw249\nZ3nHKL4YnBVqa3yTfEkdMB/6GSAkoCbnufaD3IsGcFJnlW5raDiT/GZMy+1WnDfJ\npB0/.......vD8kRkcmEi9t3KLmKVy3SO15/YHAhLxP9oTnTFGkPnIqZLRM0Y55UfwbRSZDlgH/\ny9GGmsV5IaIwhepuALJMdkHp\n-----END PRIVATE KEY-----\n", "unravel_mapping": { "username":"userid", "groups":"ds_groups" } }Property
Description
Req
Example Values
entryPoint
Identity provider entry point, Ping IdP address (SSO URL).
Note: Identity provider entry point is required to be spec-compliant when the request is signed.
Yes
"http://myHost:9080/simplesaml/saml2/idp/SSOService.php"
issuer
Name of app that will connect to the saml server.
Issuer string to supply to identify provider (Environment name). Should match the name configured in Idp.
Yes
"unravel-myHost”
cert
IDP's public cert to validate auth response signature.
Note: You retrieve this from saml host.
Yes
Idp Cert String
logoutUrl
Base address to call with logout requests.
Default: entryPoint
No
"http://myHost:9080/simplesaml/saml2/idp/SingleLogoutService.php"
logoutEnabled
If true logs you out from every app.
No
false
unravel_mapping
Mapping saml auth response attributes to Unravel attributes.
Yes
{
"username":"userid",
"groups":"ds_groups"
}
privateCert
Unravel private cert string to sign Auth requests.
No
Unravel cert string
For Ping, the IdP certificate can be obtained as follows:
In the Server Configuration section, select Certificate Management and Digital Signing & XML Decryption Keys & Certificates.
Click Export for the IdP certificate that you require.
Select Certificate Only and click Next.
Click Export, and save the file.
Start Unravel
<Unravel installation directory>/unravel/manager start
Configure SAML server
Configure the following properties on the SAML server. Replace UNRAVEL_HOST with the fully qualified path or IP address of your Unravel host.
Property | Description | Req | PingFederate Specific configuration |
|---|---|---|---|
AssertionConsumerService / ACS Url |
| Yes | |
Entity Identifier | unravel-Congo24 | Yes | Should be the same as the issuer in |
Single Logout Endpoint |
| ||
Single Logout Response Endpoint |
| No |
Note
To use SAML with RBAC see Configure LDAP or SAML RBAC Properties.
SAML
These properties are required when com.unraveldata.login.mode=saml.