Enabling SAML authentication for Unravel Web UI
To use SAML, you must configure Unravel host and the SAML server.
Configure Unravel host
Stop Unravel
<Unravel installation directory>/unravel/manager stop
Set the following properties:
<Unravel installation directory>/unravel/manager config properties set com.unraveldata.login.mode saml <Unravel installation directory>/unravel/manager config properties set com.unraveldata.login.saml.config
</absolute_path/saml.json>Warning
You must specify the absolute path to the
saml.jsonfile. The relative path causes an exception.Note
For more SAML authentication properties, see SAML properties.
Apply the changes.
<Unravel installation directory>/unravel/manager config apply
Edit the
saml.jsonfile. The following is a sample of thesaml.jsonfile.{ "entryPoint":"http://myHost.unraveldata.com:9080/simplesaml/saml2/idp/SSOService.php", "issuer":"localhost", "logoutUrl":"http://myHost.unraveldata.com:9080/simplesaml/saml2/idp/SingleLogoutService.php", "callbackUrl":"https://congo51.unraveldata.com:3000/saml/consume", "cert":"MIIDXTCCAkWgAwIBAgIJALmVVuDWu4NYMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdAcQf2CGAaVfwTTfSlzNLsF2lW/ly7yapFzlYSJLGoVE+OHEu8g5SlNACUEfkXw+5Eghh+KzlIN7R6Q7r2ixWNFBC/jWf7NKUfJyX8qIG5md1YUeT6GBW9Bm2/1/RiO24JTaYlfLdKK9TYb8sG5B+OLab2DImG99CJ25RkAcSobWNF5zD0O6lgOo3cEdB/ksCq3hmtlC/DlLZ/D8CJ+7VuZnS1rR2naQ==", ... }Property
Description
Req
Example Values
entryPoint
Identity provider entry point, Ping IdP address (SSO URL).
Note
The identity provider entry point must be spec-compliant when the request is signed.
Yes
http://myHost:9080/simplesaml/saml2/idp/SSOService.phpissuer
Name of app that connects to the SAML server.
Issuer string to supply to identify provider (Environment name). It should match the name configured in Idp.
Yes
localhostcert
IDP's public cert to validate auth response signature.
Note
Retrieve this from the SAML host.
The encoding format must be base64 without comment lines.
Yes
Idp Cert String
Important
You must remove the
BEGIN CERTIFICATEandEND CERTIFICATElines and specify the certificate on a single line.Example:
MIICizCCAfQCCQCY8tKaMc0BMjANBgkqh ... W==logoutUrl
Base address to call with logout requests.
Default: entryPoint
No
http://myHost.unraveldata.com:9080/simplesaml/saml2/idp/SingleLogoutService.phpcallbackUrl
Value is the same as AssertionConsumerService URL configured in the SAML server. This property is added only when HTTPS is used.
No
https://congo51.unraveldata.com:3000/saml/consumeunravel_mapping
(Optional)
Mapping SAML auth response attributes to Unravel attributes.
Yes
{
"username":"userid",
"groups":"ds_groups"
}
privateCert
Unravel private cert string to sign Auth requests. The Unravel node generates this string.
Note
The encoding format must be base64 without comment lines.
No
Unravel cert string
Important
You must escape the new lines.
Example:
-----BEGIN PRIVATEKEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDEt4Ma2k4DUko\ny9GGmsV5IaIwhepuALJMdkHp-----END PRIVATE KEY-----\nFor Ping, you can obtain the IdP certificate as follows:
In the Server Configuration section, select Certificate Management and Digital Signing & XML Decryption Keys & Certificates.
Click Export for the IdP certificate that you require.
Select Certificate Only and click Next.
Click Export, and save the file.
Start Unravel
<Unravel installation directory>/unravel/manager start
Configure SAML server
Configure the following properties on the SAML server. Replace UNRAVEL_HOST with the fully qualified path or IP address of your Unravel host.
Property | Description | Req | PingFederate Specific configuration |
|---|---|---|---|
AssertionConsumerService / ACS Url |
| Yes | |
Entity Identifier | unravel-Congo24 | Yes | Should be the same as the issuer in |
Single Logout Endpoint |
| ||
Single Logout Response Endpoint |
| No | - |
SAML
These properties are required when com.unraveldata.login.mode=saml.