Denodo Security Token¶
The Denodo Security Token Server is a system that delegates the authentication to an external Identity Provider (e.g. Okta, PingFederate, Azure Active Directory, etc.) It takes the authorization object and generates a valid credential so the other applications can use it to gain access across all the components of the Denodo Platform.
In addition, it provides Single Sign-On authentication. With this, users log in to the Solution Manager with their browser and from there, they can open any component of the Denodo Platform installations (Data Catalog, Design Studio, etc.) without having to enter the password again.
Note
The Solution Manager installation contains a file {<SOLUTION_MANAGER_HOME>}/conf/SSOConfiguration.properties and the value
of the property sso.token-enabled
must be true. Please, do not manually change this value.
Architecture¶
The Denodo Security Token Server is an application that runs on the web container of the Solution Manager. It provides a centralized authentication server based on the following points:
Delegate authentication to external identity providers:
SAML
OAuth
OpenID Connect
Role extraction from the delegated authentication object. The original assertion or token can be processed to extract role information by a configured attribute name.
Issue temporary credentials representing the user who has just been authenticated through the external Identity Provider. This credentials are verified and validated by Denodo environment and grants the access on it.

Denodo Security Token Architecture¶
Configure the Denodo Platform Components to Reach the Security Token Server¶
In the following scenarios, the components of the Denodo Platform need to connect to the Denodo Security Token Server:
To enable Single sign-on across the web components of the installation. That is, the users log in to Solution Manager and then, they can open Data Catalog, Design Studio and others without entering their credentials on each application.
Single sign-on configuration can be made in the specific page authentication configuration.
To perform the following administrative tasks from the Solution Manager over an installation of the Denodo Platform:
Diagnostic and Monitoring: to check the status of servers. That is, either loading historical data or in real-time. Used by the Diagnostic & Monitoring Tool distributed with the Solution Manager installation and by the embedded Denodo Monitor to monitor an environment, a cluster or a server.
Deployments: to deploy revisions into environments.
Manage Log levels: to manage the logging level of the Virtual DataPort servers.
When you create an environment using the Automated Cloud Mode, the Solution Manager automatically configures the new installations so they can reach the Security Token Server.
When you install the Denodo Platform manually, you have to configure this installation so it can reach the Denodo Security Token Server (see Configure the Connection to the Security Token Server from the Denodo Platform below).
Security Considerations¶
For production environments, we strongly recommend that all the communication with the Denodo Security Token server is performed over a secure channel (i.e. SSL/TLS). It is important because the generated token is a security credential that should be transmitted securely. For this reason, Denodo Solution Manager and all the Denodo Platform used in environments must be over a secure channel (i.e. SSL/TLS). The section enable SSL/TLS in the Denodo Platform explains how to enable this.
Note
If you use a self-signed certificate or an SSL certificate that is only recognized within your organization, you have to import this certificate to the TrustStore of all the installations of the Denodo Platform. Otherwise, the connection to the Security Token Server will fail.
External Identity Provider Considerations¶
Denodo Security Token acts as a central authentication system to manage the delegated authentication. For this reason you must add a relying party trust between your identity provider and Denodo Security Token. This trust registration has a common configuration that depends on the protocol used in the external provider.
For SAML Identity Providers you can use the Service Provider XML metadata exposed by the Denodo Security Token on this URL: https://solution-manager.acme.com:19443/sso/sso-saml/metadata.
For OAuth and OpenID Connect providers you should add a Redirect URI (Complete URI to which the provider may redirect after authorization is obtained). The default redirect URI on Denodo Security Token follow this format: https://solution-manager.acme.com:19443/sso/sso-oauth/oauth-login. Ending in /sso/sso-oauth/oauth-login for OAuth and in /sso/sso-openid/openid-login for OpenID Connect.
Note
Review specific details on your Identity Provider for each configuration.
Configure the Connection to the Security Token Server from the Denodo Platform¶
In all your installations of the Denodo Platform, follow these steps so the components of these installations can reach the Denodo Security Token Server, which is part of the Solution Manager:
Check that the clocks of the computers of the Denodo Platform servers and the computer of the Solution Manager are in sync. On Windows, check that the option Synchronize your clock is enabled. On Linux, check that the Network Time Protocol (NTP) service is enabled.
The clocks of these computers need to be in sync as much as possible. That is, both computers must be set to the same time and date. Not having the clocks synchronized may cause the single sign-on process between Solution Manager and the Denodo Platform components to fail with the error “Expired JWT”.
Set up the connection to the Security Token Server in all your installations of the Denodo Platform. You can do this graphically or from the command line:
To do this graphically, open the Denodo Platform Control Center of this installation (open
<DENODO_HOME>/bin/denodo_platform
). Then, click Configure and enter this:Host: hostname of the Solution Manager. For example
solution-manager.acme.com
. The Denodo Security Token runs on the Solution Manager.Port: enter
19443
if you enabled HTTPS on the web container of the Solution Manager; enter19090
if it is disabled. You have to enter the port number of the web container because the Denodo Security Token Server runs on the web container of the Solution Manager.Uses SSL/TLS: select this if you enabled HTTPS on the web container of the Solution Manager.
Enable Denodo Single Sign On for web applications: to allow Single Sign-On authentication through Denodo Security Token.
Denodo Security Token enabled by Denodo Platform Control Center¶
To do this from the command line, edit
<DENODO_HOME>/conf/SSOConfiguration.properties
and set these properties:
sso.url: URL of the Denodo Security Token in the following format {scheme}://{hostname}:{port}. Usually this will be the web container URL of the Solution Manager, where the Denodo Security Token Server is deployed by default.
For example
https://solution-manager.acme.com:19443
.sso.token-enabled: Denodo Security Token enabled for Virtual DataPort (if it is installed).
sso.enabled: Denodo Security Token Single Sign-On enabled for the web applications deployed in this installation.
sso.url=https://solution-manager.acme.com:19443 sso.token-enabled=true sso.enabled=true
Restart the affected servers to apply these changes.
Note
This Denodo Platform must be able to reach the web container port of the Solution Manager (19443 if HTTPS is enabled, 19090 if disabled).
To verify that, run the following command from the Denodo Platform machine: telnet <Solution Manager Host> <Web Container Port>
Configure HTTP Timeouts and Limits for the Request of Public Keys¶
When the public signing keys are requested by URL to do the token signature validation, the slow or saturated networks can be a problem. In this case, you can configure connection timeouts and limits for the request of public keys. Usually, you do not need to do anything if you do not find any problem (e.g. timeouts for slow connection). If these configuration properties are not present, the default values will be used.
The following configuration properties can be changed using the command SET to define behaviour of the HTTP connections opened from the Virtual DataPort Server to get the public keys.
com.denodo.vdb.security.DndTokenAuthenticator.RemoteJWKSet.httpConnectionTimeout
: The HTTP connection timeout, in milliseconds, zero for infinite. The default value is 4000.com.denodo.vdb.security.DndTokenAuthenticator.RemoteJWKSet.httpReadTimeout
: The HTTP read timeout, in milliseconds, zero for infinite. The default value is 4000.com.denodo.vdb.security.DndTokenAuthenticator.RemoteJWKSet.httpSizeLimit
: The HTTP entity size limit, in bytes, zero for infinite. The default value is 51200.com.denodo.vdb.security.DndTokenAuthenticator.JWKSetCache.expirationTime
: The lifespan of the cached JWK set before it expires, negative means no expiration. The default value is 300.
Also, you can manually edit <SOLUTION_MANAGER_HOME>/conf/SSOConfiguration.properties
and <DENODO_HOME>/conf/SSOConfiguration.properties
in order to define behaviour of the HTTP connections opened from the components of the Solution Manager/Denodo Platform installations to get the public keys:
sso.jwt.jwk.httpConnectionTimeout
: The HTTP connection timeout, in milliseconds, zero for infinite. The default value is 2000.sso.jwt.jwk.httpReadTimeout
: The HTTP read timeout, in milliseconds, zero for infinite. The default value is 2000.sso.jwt.jwk.httpSizeLimit
: The HTTP entity size limit, in bytes, zero for infinite. The default value is 51200.sso.jwt.jwk.expirationTime
: The lifespan of the cached JWK set before it expires, negative means no expiration. The default value is 300.
Load Balancer Considerations¶
When a Solution Manager is behind a Load Balancer, connectivity to external balancer URL from the installation can cause errors. In this case, you can configure an internal URL for the request of public keys.
Edit manually the file <SOLUTION_MANAGER_HOME>/conf/SSOConfiguration.properties
in order to define the external URL of the load balancer and an internal URL to retrieve the public signing keys from the Solution Manager installations to get the public keys:
sso.url
: The external URL of the load balancer used for authentication redirections. For examplesso.url=https://load-balancer.com
sso.jwt.jwk.sourceUrl
: The internal URL to retrive the public signing keys, and to avoid the connectivity problems behind a load-balancer. For examplesso.jwt.jwk.sourceUrl=https://localhost:19443/sso/jwks.json
Edit manually the file <SOLUTION_MANAGER_HOME>/conf/vdp/VDBConfiguration.properties
to define the same internal URL to retrieve the public signing keys by the embedded Virtual DataPort Server.
com.denodo.vdb.security.DndTokenAuthenticator.jwkSourceUrl
: The internal URL to retrive the public signing keys, and to avoid the connectivity problems behind a load-balancer.
See the section Configuring Access Through the Load Balancer to review another considerations in these scenarios.
Authentication Credentials¶
The Solution Manager uses signature credentials to secure the communications with other components of the Denodo Platform. You can configure the Solution Manager to use a custom RSA cryptography key or one autogenerated by the system.
To manage the Solution Manager Credentials, click the menu Configuration > Authentication. The authentication credentials are configured at the top of this tab.

Solution Manager credentials configuration¶
If Autogenerated is selected (default option), the Solution Manager uses a private key that was auto-generated.
If you select Custom, you need to provide this:
KeyStore file: a keyStore file that meets these prerequisites:
Contains only one keypair.
The keypair uses the RSA algorithm.
KeyStore password: the password that protects the keyStore. If the keypair is also protected, then it must be using the same password.
Note
If you change the credentials, some automated tasks may be affected. In this case, restart the servers.
Single Sign-On Sequence¶
At a high level, the initial authentication flow for a web application looks like this:

Denodo Security Token Single Sign-On sequence diagram to Solution Manager Web Tool¶
After that, the next access to another web application will not require the user to log in again with their credentials:

Denodo Security Token Single Sign-On sequence diagram to another web application¶