Single Sign-On with an Identity Provider

The Denodo Platform includes a system called Denodo Security Token Server that enables two key features for authenticating users across all the Denodo components:

  1. It is able to delegate the authentication of users to an external Identity Provider. It supports the following protocols:

    • SAML

    • OAuth

    • OpenID Connect

    In addition, it deals with the extraction of roles for every protocol, which are the basis for authorization in Data Catalog.

  2. It enables single sign-on across all the Denodo components. The user only needs to authenticate the first time she opens a Denodo application. The next time she works with another Denodo application, the Denodo Security Token Server will provide her identity, so there is no need to transfer passwords again, improving the security of the system.

To enable single sing-on with an external Identity Provider, you need to follow these steps:

  1. Configure your Identity Provider in the Denodo Security Token Server in one of the following ways:

    • In case your organization uses the Denodo Solution Manager, you can configure your Identity Provider graphically in a specific configuration page.

    • Otherwise, you can edit the configuration file of your Denodo Platform, located on <DENODO_HOME>/conf/denodo-sso/SSOTokenConfiguration.properties.

  2. Configure the connection to the Denodo Security Token Server. Again, you have two ways of configuring it:

    • Open the Control Center of your Denodo Platform and go to Configure. You will find the settings for the Denodo Security Token Server in the section Denodo Security Token Authentication.

    • Edit the file located on <DENODO_HOME>/conf/SSOConfiguration.properties.

    Take into account the following considerations:

    • Enter the host and port of the web container where the Denodo Security Token Server is deployed. If you have configured it through the Denodo Solution Manager, enter the settings of the Denodo Solution Manager installation. Otherwise, enter the values of your Denodo Platform installation.

    • If the web container has configured SSL/TLS, select the option Uses SSL/TLS.

    • Select the option Enable Denodo Single Sign On for web applications.

  3. Restart all your Denodo applications in order to the settings to take effect.

If there are several Virtual DataPort servers registered in the Data Catalog, you will see a login page like the one below. Select the server you want to connect to and you will be automatically redirected to your Identity Provider.

Login page for single sign-on with an external Identity Provider in the Data Catalog

Login page for single sign-on with an external Identity Provider in the Data Catalog

If there is only one Virtual DataPort server registered, you will be automatically redirected to your Identity Provider.