Denodo Security Token

Denodo Security Token Server it is a centralized system that delegates the authentication to external Identity Provider. It takes the authorization object and generates a valid credential so the other applications can use it to gain access across Denodo. Furthermore, it provides Single Sign-On authentication, that allow users to log into multiple web applications while logging in once and without having to have a separate identity and password for each. The user information are managed only by the external Identity Provider in a centralized way.

Architecture

It provides a centralized authentication server based on the following points:

  1. Delegate authentication to external identity providers:

    • SAML

    • OAuth

    • OpenID Connect

  2. Role extraction from the delegated authentication object. The original assertion or token can be processed to extract role information by a configured attribute name.

  3. Issue temporary credentials representing the user who has just been authenticated through the external Identity Provider. This credentials are verified and validated by Denodo environment and grants the access on it.

Denodo Security Token Architecture

Denodo Security Token Architecture

Security Considerations

All communication with the Denodo Security Token server must be over a secure channel (i.e. SSL/TLS). It is important because the generated token is a security credential that must be transmitted securely. For this reason, Denodo Solution Manager and all the Denodo Platform used in environments must be over a secure channel (i.e. SSL/TLS). The section enable SSL/TLS in the Denodo Platform explains how to enable this.

Note

For SSL connections to Denodo Security Token, you must import the server’s SSL certificate or the CA certificate that signed the server’s certificate into the JVM truststore used by Denodo Platform.

External Identity Provider Considerations

Denodo Security Token acts as a central authentication system to manage the delegated authentication. For this reason you must add a relying party trust between your identity provider and Denodo Security Token. This trust registration has a common configuration that depends on the protocol used in the external provider.

  • For SAML Identity Providers you can use the Service Provider XML metadata exposed by the Denodo Security Token on this URL: https://solution-manager.acme.com:19443/sso/sso-saml/metadata.

  • For OAuth and OpenID Connect providers you should add a Redirect URI (Complete URI to which the provider may redirect after authorization is obtained). The default redirect URI on Denodo Security Token follow this format: https://solution-manager.acme.com:19443/sso/sso-oauth/oauth-login. Ending in /sso/sso-oauth/oauth-login for OAuth and in /sso/sso-openid/openid-login for OpenID Connect.

Note

Review specific details on your Identity Provider for each configuration.

Configure for Denodo Platform

Denodo Platform must be configured to support Denodo Security Token in the following cases:

  1. Single sign-on across different web components of the installation.

    Single sign-on configuration can be made in the specific page authentication configuration.

  2. System administrative tasks executed by Solution Manager.

    When a Denodo Platform is managed by Solution Manager, it must be configured to point the Denodo Security Token Server that is distributed with this Solution Manager.

Administrative tasks

Solution Manager requires privileged connections to manage the Denodo Platform servers. It uses a temporary system token with the required permissions to perform administrative tasks and the final Denodo Platform server therefore, must be configured with the Denodo Security Token authentication in order to validate these tokens. The cryptography keys used for signing temporary credentials can be customized in Authentication Credentials.

Administrative tasks that require it:

  • Diagnostic and Monitoring: To check the state of servers loading historical data or in real-time.

  • Deployments: To deploy revisions into environments, the final servers must be configured to support the Denodo security token authentication.

  • Manage Log levels: To change the logging level of the Virtual DataPort servers.

Enable Denodo Security Token in Denodo Platform

To enable Denodo Security Token for external Denodo Platform do the following:

  1. Graphically through the Denodo Platform Control Center

Denodo Security Token enabled by Denodo Platform Control Center

Denodo Security Token enabled by Denodo Platform Control Center

  • Host: Hostname of the container where the Denodo Security Token Server runs. For example solution-manager.acme.com.

  • Port: The port number of the web container where the Denodo Security Token Server runs. Usually this will be the web container of the Solution Manager. The default port of this container is 19090 when TLS/SSL is not enabled and 19443 when it is enabled.

  • Uses SSL/TLS: Check if SSL/TLS is configured for the Denodo Security Token.

  • Enable Denodo Single Sign On for web applications: To allow Single Sign-On authentication through Denodo Security Token.

  1. Directly editing <DENODO_HOME>/conf/SSOConfiguration.properties

    sso.url=https://solution-manager.acme.com:19443
    sso.token-enabled=true
    sso.enabled=true
    
    • sso.url: Denodo Security Token URL in the following format {scheme}://{hostname}:{port}. Usually this will be the web container URL of the Solution Manager, where the Denodo Security Token Server is deployed by default. For example https://solution-manager.acme.com:19443

    • sso.token-enabled: Denodo Security Token enabled for Virtual DataPort (if it is installed).

    • sso.enabled: Denodo Security Token Single Sign-On enabled for the web applications deployed in this installation.

Note

Restart the affected servers to apply these changes.

Authentication Credentials

The Solution Manager uses signature credentials to secure the communications with other components of the Denodo Platform. You can configure the Solution Manager to use a custom RSA cryptography key or one autogenerated by the system.

To manage the Solution Manager Credentials, click the menu Configuration > Authentication. The authentication credentials are configured at the top of this tab.

Solution Manager credentials configuration

Solution Manager credentials configuration

If Autogenerated is selected (default option), the Solution Manager uses a private key that was auto-generated.

If you select Custom, you need to provide this:

  • KeyStore file: a keyStore file that meets these prerequisites:

    • Contains only one keypair.

    • The keypair uses the RSA algorithm.

  • KeyStore password: the password that protects the keyStore. If the keypair is also protected, then it must be using the same password.

    Note

    If you change the credentials, some automated tasks may be affected. In this case, restart the servers.

Single Sign-On Sequence

At a high level, the initial authentication flow for a web application looks like this:

Denodo Security Token Single Sign-On sequence diagram to Solution Manager Web Tool

Denodo Security Token Single Sign-On sequence diagram to Solution Manager Web Tool

After that, the next access to another web application will not require the user to log in again with their credentials:

Denodo Security Token Single Sign-On sequence diagram to another web application

Denodo Security Token Single Sign-On sequence diagram to another web application