Denodo Security Token

The Denodo Security Token Server is a system that delegates the authentication to an external Identity Provider (e.g. Okta, PingFederate, Azure Active Directory, etc.) It takes the authorization object and generates a valid credential so the other applications can use it to gain access across all the components of the Denodo Platform.

In addition, it provides Single Sign-On authentication. With this, users log in to the Solution Manager with their browser and from there, they can open any component of the Denodo Platform installations (Data Catalog, Design Studio, etc.) without having to enter the password again.

Note

The Solution Manager installation contains a file {<SOLUTION_MANAGER_HOME>}/conf/SSOConfiguration.properties and the value of the property sso.token-enabled must be true. Please, do not manually change this value.

Architecture

The Denodo Security Token Server is an application that runs on the web container of the Solution Manager. It provides a centralized authentication server based on the following points:

  1. Delegate authentication to external identity providers:

    • SAML

    • OAuth

    • OpenID Connect

  2. Role extraction from the delegated authentication object. The original assertion or token can be processed to extract role information by a configured attribute name.

  3. Issue temporary credentials representing the user who has just been authenticated through the external Identity Provider. This credentials are verified and validated by Denodo environment and grants the access on it.

Denodo Security Token Architecture

Denodo Security Token Architecture

Configure the Denodo Platform Components to Reach the Security Token Server

In the following scenarios, the components of the Denodo Platform need to connect to the Denodo Security Token Server:

  1. To enable Single sign-on across the web components of the installation. That is, the users log in to Solution Manager and then, they can open Data Catalog, Design Studio and others without entering their credentials on each application.

    Single sign-on configuration can be made in the specific page authentication configuration.

  2. To perform the following administrative tasks from the Solution Manager over an installation of the Denodo Platform:

    • Diagnostic and Monitoring: to check the status of servers. That is, either loading historical data or in real-time. Used by the Diagnostic & Monitoring Tool distributed with the Solution Manager installation and by the embedded Denodo Monitor to monitor an environment, a cluster or a server.

    • Deployments: to deploy revisions into environments.

    • Manage Log levels: to manage the logging level of the Virtual DataPort servers.

When you create an environment using the Automated Cloud Mode, the Solution Manager automatically configures the new installations so they can reach the Security Token Server.

When you install the Denodo Platform manually, you have to configure this installation so it can reach the Denodo Security Token Server (see Configure the Connection to the Security Token Server from the Denodo Platform below).

Security Considerations

For production environments, we strongly recommend that all the communication with the Denodo Security Token server is performed over a secure channel (i.e. SSL/TLS). It is important because the generated token is a security credential that should be transmitted securely. For this reason, Denodo Solution Manager and all the Denodo Platform used in environments must be over a secure channel (i.e. SSL/TLS). The section enable SSL/TLS in the Denodo Platform explains how to enable this.

Note

If you use a self-signed certificate or an SSL certificate that is only recognized within your organization, you have to import this certificate to the TrustStore of all the installations of the Denodo Platform. Otherwise, the connection to the Security Token Server will fail.

External Identity Provider Considerations

Denodo Security Token acts as a central authentication system to manage the delegated authentication. For this reason you must add a relying party trust between your identity provider and Denodo Security Token. This trust registration has a common configuration that depends on the protocol used in the external provider.

  • For SAML Identity Providers you can use the Service Provider XML metadata exposed by the Denodo Security Token on this URL: https://solution-manager.acme.com:19443/sso/sso-saml/metadata.

  • For OAuth and OpenID Connect providers you should add a Redirect URI (Complete URI to which the provider may redirect after authorization is obtained). The default redirect URI on Denodo Security Token follow this format: https://solution-manager.acme.com:19443/sso/sso-oauth/oauth-login. Ending in /sso/sso-oauth/oauth-login for OAuth and in /sso/sso-openid/openid-login for OpenID Connect.

Note

Review specific details on your Identity Provider for each configuration.

Configure the Connection to the Security Token Server from the Denodo Platform

In all your installations of the Denodo Platform, follow these steps so the components of these installations can reach the Denodo Security Token Server, which is part of the Solution Manager:

  1. Check that the clocks of the computers of the Denodo Platform servers and the computer of the Solution Manager are in sync. On Windows, check that the option Synchronize your clock is enabled. On Linux, check that the Network Time Protocol (NTP) service is enabled.

    The clocks of these computers need to be in sync as much as possible. That is, both computers must be set to the same time and date. Not having the clocks synchronized may cause the single sign-on process between Solution Manager and the Denodo Platform components to fail with the error “Expired JWT”.

  2. Set up the connection to the Security Token Server in all your installations of the Denodo Platform. You can do this graphically or from the command line:

    1. To do this graphically, open the Denodo Platform Control Center of this installation (open <DENODO_HOME>/bin/denodo_platform). Then, click Configure and enter this:

      • Host: hostname of the Solution Manager. For example solution-manager.acme.com. The Denodo Security Token runs on the Solution Manager.

      • Port: enter 19443 if you enabled HTTPS on the web container of the Solution Manager; enter 19090 if it is disabled. You have to enter the port number of the web container because the Denodo Security Token Server runs on the web container of the Solution Manager.

      • Uses SSL/TLS: select this if you enabled HTTPS on the web container of the Solution Manager.

      • Enable Denodo Single Sign On for web applications: to allow Single Sign-On authentication through Denodo Security Token.

Denodo Security Token enabled by Denodo Platform Control Center

Denodo Security Token enabled by Denodo Platform Control Center

  1. To do this from the command line, edit <DENODO_HOME>/conf/SSOConfiguration.properties and set these properties:

    • sso.url: URL of the Denodo Security Token in the following format {scheme}://{hostname}:{port}. Usually this will be the web container URL of the Solution Manager, where the Denodo Security Token Server is deployed by default.

      For example https://solution-manager.acme.com:19443.

    • sso.token-enabled: Denodo Security Token enabled for Virtual DataPort (if it is installed).

    • sso.enabled: Denodo Security Token Single Sign-On enabled for the web applications deployed in this installation.

sso.url=https://solution-manager.acme.com:19443
sso.token-enabled=true
sso.enabled=true
  1. Restart the affected servers to apply these changes.

Note

This Denodo Platform must be able to reach the web container port of the Solution Manager (19443 if HTTPS is enabled, 19090 if disabled). To verify that, run the following command from the Denodo Platform machine: telnet <Solution Manager Host> <Web Container Port>

Authentication Credentials

The Solution Manager uses signature credentials to secure the communications with other components of the Denodo Platform. You can configure the Solution Manager to use a custom RSA cryptography key or one autogenerated by the system.

To manage the Solution Manager Credentials, click the menu Configuration > Authentication. The authentication credentials are configured at the top of this tab.

Solution Manager credentials configuration

Solution Manager credentials configuration

If Autogenerated is selected (default option), the Solution Manager uses a private key that was auto-generated.

If you select Custom, you need to provide this:

  • KeyStore file: a keyStore file that meets these prerequisites:

    • Contains only one keypair.

    • The keypair uses the RSA algorithm.

  • KeyStore password: the password that protects the keyStore. If the keypair is also protected, then it must be using the same password.

    Note

    If you change the credentials, some automated tasks may be affected. In this case, restart the servers.

Single Sign-On Sequence

At a high level, the initial authentication flow for a web application looks like this:

Denodo Security Token Single Sign-On sequence diagram to Solution Manager Web Tool

Denodo Security Token Single Sign-On sequence diagram to Solution Manager Web Tool

After that, the next access to another web application will not require the user to log in again with their credentials:

Denodo Security Token Single Sign-On sequence diagram to another web application

Denodo Security Token Single Sign-On sequence diagram to another web application