USER MANUALS


Denodo Security Token Configuration File

The Denodo Security Token is distributed with any Denodo Platform installation. To enable single sign-on authentication with a supported external Identity Provider, you can configure it:

  1. Using a Solution Manager installed through the specific configuration page.

  2. Otherwise, if your organization does not have Solution Manager (this occurs when you use Denodo Express or purchased Denodo in the AWS or Azure Marketplaces), you must edit the configuration file located on <DENODO_HOME>/conf/denodo-sso/SSOTokenConfiguration.properties. The following sections explain the settings that can be configured.

Common Settings

authorization.token.enabled enables/disables the token authorization functionality. If it is false then the token single sign-on flow will not be possible.

authorization.type indicates the type of the delegate authentication. Possible values are: saml, oauth, openid. Each one of them has his own configuration module section. These modules will be enabled by the corresponding property {authorization.type}.enabled=true (for example saml.enabled=true for SAML authentication) that must match with the authorization.type value.

authorization.token.excludeOriginal enables/disables if the original token sent by the Idp is attached in the final generated token or not. Default value is true to exclude it. The original token that will be attached depends on the authentication delegation type:

  • SAML: Uses SAMLResponse

  • OAuth: Uses access_token

  • OpenID Connect: Uses id_token

forwardedHeader.enabled (optional) enables/disables the use of Forwarded and X-Forwarded-* headers to reflect the client-originated protocol and address.

Useful when a client connects to the Denodo Security Token server through an HTTP proxy or a load balancer.

firewall.hostsAllowed (optional; available since the update 8.0u20240306) Whitelist domains to be permitted in Host header. To mitigate the risks of Host header injection. Configure it with the hostname of the server or the load balancer hostname.

logout.redirect-url (optional; available since the update 8.0u20230301): to configure a redirect URL to be disconnected from SSO during the logout of web tools.

This property implies to be redirected from the web application you are logging out to a logout URL of the identity provider system. If this URL allows a query parameter to redirect to another URL after logging out of the SSO, please indicate ${loginPage} in the value of this parameter. For example, for the Keycloak Identity Provider:

logout.redirect-url=http://<host>:<port>/auth/realms/<realm>/protocol/openid-connect/logout?redirect_uri=${loginPage}

To replace this ${loginPage} with a proper value, each web component of Denodo has to define its own login page in the sso.loginPage property of the configuration file.

  • Data Catalog (<DENODO_HOME>/conf/data-catalog/DataCatalogBackend.properties): http://denodo-server.acme.com:9090/denodo-data-catalog/?uri=//localhost:9999#/

  • Design Studio (<DENODO_HOME>/conf/design-studio/DesignStudioBackend.properties, <SOLUTION_MANAGER_HOME>/conf/design-studio/DesignStudioBackend.properties): http://denodo-server.acme.com:9090/denodo-design-studio/?uri=//localhost:9999/admin#/

  • Diagnostic & Monitoring Tool (<DENODO_HOME>/resources/apache-tomcat/webapps/diagnostic-monitoring-tool/WEB-INF/classes/ConfigurationParameters.properties, <SOLUTION_MANAGER_HOME>/resources/apache-tomcat/webapps/diagnostic-monitoring-tool/WEB-INF/classes/ConfigurationParameters.properties): http://denodo_solution_manager.acme.com:19090/diagnostic-monitoring-tool/

  • Scheduler Administration Tool (<DENODO_HOME>/conf/scheduler-webadmintool/ConfigurationParameters.properties, <SOLUTION_MANAGER_HOME>/conf/scheduler-webadmintool/ConfigurationParameters.properties): http://denodo-server.acme.com:9090/webadmin/denodo-scheduler-admin/?uri=//localhost:8000#/

  • Solution Manager Administration Tool (<SOLUTION_MANAGER_HOME>/conf/solution-manager-web-tool/SMAdminConfiguration.properties): http://denodo_solution_manager.acme.com:19090/solution-manager-web-tool/

    Note

    The redirection will be done in the current browser window. If the user is authenticated in more than one application with SSO, the logout will be performed only in the application where the logout was executed. The rest of the applications will keep their sessions active.

Token Signing Credentials

authorization.token.signing.kid Key id used to identify the cryptography key used. It is autogenerated on first server start up.

authorization.token.signing.auto-generated Indicates if the keystore was autogenerated on first server start up or not.

authorization.token.signing.store-file Keystore file location contained the KeyPair for signing tokens. The keyStore file that meets these prerequisites:

  • Contains only one keypair.

  • The keypair uses the RSA algorithm.

authorization.token.signing.store-pass Keystore password. If the stored keypair is also protected, then it must be using the same password.

Simple example for use a system autogenerated credentials:

authorization.token.enabled=true
authorization.token.signing.auto-generated=true

Authentication Modules

There are three possible authentication types to delegate: SAML, OAuth and OpenID Connect. The following sections detail how to configure each authentication module.

SAML 2.0 Delegation

saml.enabled To enables/disables the SAML authorization module.

saml.use-general-signing To use the general keystore indicated on Token Signing Credentials to sign SAMLRequest

saml.sp-entityid Indicates the SAML Service Provider EntityID.

saml.idp-metadata-url Indicates the SAML Identity Provider metadata by URL.

Note

If this URL is “https” and the SSL certificate of this service is not signed by a known Certificate Authority (CA) like Verisign, Comodo, etc., you have to add it to the TrustStore of the Server. The section Importing the Certificates of Data Sources (SSL/TLS Connections) of the Installation Guide explains how to do this. Otherwise, when the Server connect to this service, the connection will fail because the certificate is not trusted.

saml.idp-metadata-file Indicates the SAML Identity Provider metadata by File. Useful if the SAML Identity Provider metadata by URL is not reachable.

Note

Only use one setting for the identity provider metadata saml.idp-metadata-url or saml.idp-metadata-file.

saml.extract-role.delegate To avoid the role extraction from the assertion, and delegates it to a LDAP search in the Virtual DataPort server. It requires Global LDAP Authentication for the Virtual DataPort Server. Default value is false.

saml.extract-role.field Name of the Attribute on SAML assertion used to extract roles. For example the following piece of code is a SAML attribute named Group that represents the controller role:

<Attribute Name="Group" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
  <AttributeValue>controller</AttributeValue>
</Attribute>

saml.sp-BaseEntityUrl Base URL to construct SAML endpoints from. Needs to be a URL with protocol, server, port and context path. In case this property is not specified, it will be automatically generated based on values in the first HTTP request, but it is recommended to provide the value explicitly. For example: https://internal-load-balancer.com/sso/sso-saml

saml.load-balancer.* Optional properties to configure SAML behind a load balancer or a reverse-proxy. Fill the following properties with the load-balancer data:

saml.load-balancer.scheme Scheme of the Load balancer. Enter http or https.

saml.load-balancer.hostname Server name of the load balancer, for example: internal-load-balancer.com

saml.load-balancer.port Port of the load balancer.

saml.load-balancer.path Context path of the load balancer, must be starting with slash, for example: /sso

saml.load-balancer.includeServerPortInRequestURL When true the port will be used in construction of load balancer request URL.

Note

The saml.load-balancer.* properties have been removed in the update 8.0u20230914. Use the forwardedHeader.enabled property instead.

saml.authRequestSigningAlgorithm Optional parameter to configure the name of the algorithm used to sign the authorization request to the IdP. Its values can be SHA1withRSA, MD5withRSA, SHA224withRSA, SHA256withRSA, SHA384withRSA and SHA512withRSA. Also, values like http://www.w3.org/2000/09/xmldsig#rsa-sha1 are valid.

Important

XML Service Provider metadata Endpoint to download: /sso/sso-saml/metadata Useful to register Denodo SSO Server in the external Identy Provider

OAuth 2.0 Delegation

oauth.enabled To enables/disables the OAuth authorization module.

oauth.defaultProcessUri Relative URI for application’s callback endpoint . The Identity Provider sends an authorization response to these URIs. The complete URL must be match the one registered on the Idp (usually called Redirect URI). Default value /sso-oauth/oauth-login

oauth.redirectUri Optional parameter used to indicate the complete redirect URI that has been pre-established with the OAuth authorization server. Useful when Denodo Security Token server is behind a proxy or a load balancer to configure its URL properly. For example: https://internal-load-balancer.com/sso/sso-oauth/oauth-login

oauth.clientId Client identifier generated during the application registration process.

oauth.clientSecret Client secret generated during the application registration process.

oauth.userAuthorizationUri To request their authentication and consent. Used to obtain the authorization code.

oauth.accessTokenUri To exchange the authorization code for an access token.

oauth.issuer The authorization server’s issuer identifier.

oauth.jwkUrl Url to retrieve the public server JSON Web Key (JWK) used to verify the authenticity of access tokens.

oauth.scopes Comma separated scope to send into the request to OAuth authorization server.

oauth.userNameClaim (optional; available since the update 8.0u20230301): Claim used for get the user name. Default value sub.

oauth.jwsAlgorithm (optional; available since the update 8.0u20240306): Cryptographic algorithm defined by the JSON Web Algorithms (JWA) specification and used to validate the signed access token in JWT format.

oauth.extract-role.delegate To avoid the role extraction from the access token, and delegates it to a LDAP search in the Virtual DataPort server. It requires Global LDAP Authentication for the Virtual DataPort Server. Default value is false.

oauth.extract-role.field Name of the claim will be extracted to obtain roles from the access token.

OpenID Connect Delegation

openid.enabled To enables/disables the OpenID Connect authorization module.

openid.defaultProcessUri Relative URI for application’s callback endpoint . The Identity Provider sends an authorization response to these URIs. The complete URL must be match the one registered on the Idp (usually called Redirect URI). Default value /sso-openid/openid-login

openid.redirectUri Optional parameter used to indicate the complete redirect URI that has been pre-established with the authorization server. Useful when Denodo Security Token server is behind a proxy or a load balancer to configure its URL properly. For example: https://internal-load-balancer.com/sso/sso-openid/openid-login

openid.clientId Client identifier generated during the application registration process.

openid.clientSecret Client secret generated during the application registration process.

openid.userAuthorizationUri To request their authentication and consent. Used to obtain the authorization code.

openid.accessTokenUri To exchange the authorization code for an access token.

openid.issuer The authorization server’s issuer identifier.

openid.jwkUrl Url to retrieve the public server JSON Web Key (JWK) used to verify the authenticity of id tokens.

openid.scopes Comma separated scope to send into the request to authorization server.

openid.userNameClaim (optional; available since the update 8.0u20230301): Claim used for get the user name. Default value preferred_username.

openid.jwsAlgorithm (optional; available since the update 8.0u20240306): Cryptographic algorithm defined by the JSON Web Algorithms (JWA) specification and used to validate the signed id token in JWT format.

openid.extract-role.delegate To avoid the role extraction from the id token, and delegates it to a LDAP search in the Virtual DataPort server. It requires Global LDAP Authentication for the Virtual DataPort Server. Default value is false.

openid.extract-role.field Name of the claim will be extracted to obtain roles from the id token.

Add feedback