Denodo Security Token Configuration File¶
The Denodo Security Token is distributed with any Denodo Platform installation. To enable single sign-on authentication with a supported external Identity Provider, you can configure it:
Using a Solution Manager installed through the specific configuration page.
Otherwise, if your organization does not have Solution Manager (this occurs when you use Denodo Express or purchased Denodo in the AWS or Azure Marketplaces), you must edit the configuration file located on
<DENODO_HOME>/conf/denodo-sso/SSOTokenConfiguration.properties
. The following sections explain the settings that can be configured.
Common Settings¶
authorization.token.enabled enables/disables the token authorization functionality. If it is false then the token single sign-on flow will not be possible.
authorization.type indicates the type of the delegate authentication. Possible values are: saml
, oauth
, openid
. Each one of them has his own configuration module section.
These modules will be enabled by the corresponding property {authorization.type}.enabled=true (for example saml.enabled=true for SAML authentication) that must match with the authorization.type value.
authorization.token.excludeOriginal enables/disables if the original token sent by the Idp is attached in the final generated token or not. Default value is true to exclude it. The original token that will be attached depends on the authentication delegation type:
SAML: Uses
SAMLResponse
OAuth: Uses
access_token
OpenID Connect: Uses
id_token
forwardedHeader.enabled (optional) enables/disables the use of Forwarded
and X-Forwarded-*
headers to reflect the client-originated protocol and address.
Useful when a client connects to the Denodo Security Token server through an HTTP proxy or a load balancer.
firewall.hostsAllowed (optional; available since the update 8.0u20240306) Whitelist domains to be permitted in Host header. To mitigate the risks of Host header injection. Configure it with the hostname of the server or the load balancer hostname.
logout.redirect-url (optional; available since the update 8.0u20230301): to configure a redirect URL to be disconnected from SSO during the logout of web tools.
This property implies to be redirected from the web application you are logging out to a logout URL of the identity provider system. If this URL
allows a query parameter to redirect to another URL after logging out of the SSO, please indicate ${loginPage}
in the value of this parameter. For example, for the Keycloak Identity Provider:
logout.redirect-url=http://<host>:<port>/auth/realms/<realm>/protocol/openid-connect/logout?redirect_uri=${loginPage}
To replace this ${loginPage}
with a proper value, each web component of Denodo has to define its own login page in the sso.loginPage
property of the configuration file.
Data Catalog (
<DENODO_HOME>/conf/data-catalog/DataCatalogBackend.properties
): http://denodo-server.acme.com:9090/denodo-data-catalog/?uri=//localhost:9999#/Design Studio (
<DENODO_HOME>/conf/design-studio/DesignStudioBackend.properties
,<SOLUTION_MANAGER_HOME>/conf/design-studio/DesignStudioBackend.properties
): http://denodo-server.acme.com:9090/denodo-design-studio/?uri=//localhost:9999/admin#/Diagnostic & Monitoring Tool (
<DENODO_HOME>/resources/apache-tomcat/webapps/diagnostic-monitoring-tool/WEB-INF/classes/ConfigurationParameters.properties
,<SOLUTION_MANAGER_HOME>/resources/apache-tomcat/webapps/diagnostic-monitoring-tool/WEB-INF/classes/ConfigurationParameters.properties
): http://denodo_solution_manager.acme.com:19090/diagnostic-monitoring-tool/Scheduler Administration Tool (
<DENODO_HOME>/conf/scheduler-webadmintool/ConfigurationParameters.properties
,<SOLUTION_MANAGER_HOME>/conf/scheduler-webadmintool/ConfigurationParameters.properties
): http://denodo-server.acme.com:9090/webadmin/denodo-scheduler-admin/?uri=//localhost:8000#/Solution Manager Administration Tool (
<SOLUTION_MANAGER_HOME>/conf/solution-manager-web-tool/SMAdminConfiguration.properties
): http://denodo_solution_manager.acme.com:19090/solution-manager-web-tool/Note
The redirection will be done in the current browser window. If the user is authenticated in more than one application with SSO, the logout will be performed only in the application where the logout was executed. The rest of the applications will keep their sessions active.
Token Signing Credentials¶
authorization.token.signing.kid Key id used to identify the cryptography key used. It is autogenerated on first server start up.
authorization.token.signing.auto-generated Indicates if the keystore was autogenerated on first server start up or not.
authorization.token.signing.store-file Keystore file location contained the KeyPair for signing tokens. The keyStore file that meets these prerequisites:
Contains only one keypair.
The keypair uses the RSA algorithm.
authorization.token.signing.store-pass Keystore password. If the stored keypair is also protected, then it must be using the same password.
Simple example for use a system autogenerated credentials:
authorization.token.enabled=true
authorization.token.signing.auto-generated=true
Authentication Modules¶
There are three possible authentication types to delegate: SAML, OAuth and OpenID Connect. The following sections detail how to configure each authentication module.
SAML 2.0 Delegation¶
saml.enabled To enables/disables the SAML authorization module.
saml.use-general-signing To use the general keystore indicated on Token Signing Credentials to sign SAMLRequest
saml.sp-entityid Indicates the SAML Service Provider EntityID.
saml.idp-metadata-url Indicates the SAML Identity Provider metadata by URL.
Note
If this URL is “https” and the SSL certificate of this service is not signed by a known Certificate Authority (CA) like Verisign, Comodo, etc., you have to add it to the TrustStore of the Server. The section Importing the Certificates of Data Sources (SSL/TLS Connections) of the Installation Guide explains how to do this. Otherwise, when the Server connect to this service, the connection will fail because the certificate is not trusted.
saml.idp-metadata-file Indicates the SAML Identity Provider metadata by File. Useful if the SAML Identity Provider metadata by URL is not reachable.
Note
Only use one setting for the identity provider metadata saml.idp-metadata-url or saml.idp-metadata-file.
saml.extract-role.delegate To avoid the role extraction from the assertion, and delegates it to a LDAP search in the Virtual DataPort server. It requires Global LDAP Authentication for the Virtual DataPort Server. Default value is false.
saml.extract-role.field Name of the Attribute on SAML assertion used to extract roles. For example the following piece of code is a SAML attribute named Group that represents the controller role:
<Attribute Name="Group" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <AttributeValue>controller</AttributeValue> </Attribute>
saml.sp-BaseEntityUrl Base URL to construct SAML endpoints from. Needs to be a URL with protocol, server, port and context path.
In case this property is not specified, it will be automatically generated based on values in the first HTTP request, but it is
recommended to provide the value explicitly.
For example: https://internal-load-balancer.com/sso/sso-saml
saml.load-balancer.* Optional properties to configure SAML behind a load balancer or a reverse-proxy. Fill the following properties with the load-balancer data:
saml.load-balancer.scheme Scheme of the Load balancer. Enter
http
orhttps
.saml.load-balancer.hostname Server name of the load balancer, for example: internal-load-balancer.com
saml.load-balancer.port Port of the load balancer.
saml.load-balancer.path Context path of the load balancer, must be starting with slash, for example: /sso
saml.load-balancer.includeServerPortInRequestURL When true the port will be used in construction of load balancer request URL.
Note
The saml.load-balancer.* properties have been removed in the update 8.0u20230914. Use the forwardedHeader.enabled property instead.
saml.authRequestSigningAlgorithm Optional parameter to configure the name of the algorithm used to sign the
authorization request to the IdP. Its values can be SHA1withRSA
, MD5withRSA
, SHA224withRSA
, SHA256withRSA
,
SHA384withRSA
and SHA512withRSA
. Also, values like http://www.w3.org/2000/09/xmldsig#rsa-sha1
are valid.
Important
XML Service Provider metadata Endpoint to download: /sso/sso-saml/metadata Useful to register Denodo SSO Server in the external Identy Provider
OAuth 2.0 Delegation¶
oauth.enabled To enables/disables the OAuth authorization module.
oauth.defaultProcessUri Relative URI for application’s callback endpoint . The Identity Provider sends an authorization response to these URIs. The complete URL must be match the one registered on the Idp (usually called Redirect URI). Default value /sso-oauth/oauth-login
oauth.redirectUri Optional parameter used to indicate the complete redirect URI that has been pre-established with the OAuth authorization server. Useful when Denodo Security Token server is behind a proxy or a load balancer to configure its URL properly. For example: https://internal-load-balancer.com/sso/sso-oauth/oauth-login
oauth.clientId Client identifier generated during the application registration process.
oauth.clientSecret Client secret generated during the application registration process.
oauth.userAuthorizationUri To request their authentication and consent. Used to obtain the authorization code.
oauth.accessTokenUri To exchange the authorization code for an access token.
oauth.issuer The authorization server’s issuer identifier.
oauth.jwkUrl Url to retrieve the public server JSON Web Key (JWK) used to verify the authenticity of access tokens.
oauth.scopes Comma separated scope to send into the request to OAuth authorization server.
oauth.userNameClaim (optional; available since the update 8.0u20230301): Claim used for get the user name. Default value sub
.
oauth.jwsAlgorithm (optional; available since the update 8.0u20240306): Cryptographic algorithm defined by the JSON Web Algorithms (JWA) specification and used to validate the signed access token in JWT format.
oauth.extract-role.delegate To avoid the role extraction from the access token, and delegates it to a LDAP search in the Virtual DataPort server. It requires Global LDAP Authentication for the Virtual DataPort Server. Default value is false.
oauth.extract-role.field Name of the claim will be extracted to obtain roles from the access token.
OpenID Connect Delegation¶
openid.enabled To enables/disables the OpenID Connect authorization module.
openid.defaultProcessUri Relative URI for application’s callback endpoint . The Identity Provider sends an authorization response to these URIs. The complete URL must be match the one registered on the Idp (usually called Redirect URI). Default value /sso-openid/openid-login
openid.redirectUri Optional parameter used to indicate the complete redirect URI that has been pre-established with the authorization server. Useful when Denodo Security Token server is behind a proxy or a load balancer to configure its URL properly. For example: https://internal-load-balancer.com/sso/sso-openid/openid-login
openid.clientId Client identifier generated during the application registration process.
openid.clientSecret Client secret generated during the application registration process.
openid.userAuthorizationUri To request their authentication and consent. Used to obtain the authorization code.
openid.accessTokenUri To exchange the authorization code for an access token.
openid.issuer The authorization server’s issuer identifier.
openid.jwkUrl Url to retrieve the public server JSON Web Key (JWK) used to verify the authenticity of id tokens.
openid.scopes Comma separated scope to send into the request to authorization server.
openid.userNameClaim (optional; available since the update 8.0u20230301): Claim used for get the user name. Default value preferred_username
.
openid.jwsAlgorithm (optional; available since the update 8.0u20240306): Cryptographic algorithm defined by the JSON Web Algorithms (JWA) specification and used to validate the signed id token in JWT format.
openid.extract-role.delegate To avoid the role extraction from the id token, and delegates it to a LDAP search in the Virtual DataPort server. It requires Global LDAP Authentication for the Virtual DataPort Server. Default value is false.
openid.extract-role.field Name of the claim will be extracted to obtain roles from the id token.