Denodo Security Token Configuration File

The Denodo Security Token is distributed with any Denodo Platform installation. To enable single sing-on authentication with a supported external Identity Provider, you can configure it:

  1. Using a Solution Manager installed through the specific configuration page.

  2. Otherwise, if your organization does not have Solution Manager (this occurs when you use Denodo Express or purchased Denodo in the AWS or Azure Marketplaces), you must edit the configuration file located on <DENODO_HOME>/conf/denodo-sso/SSOTokenConfiguration.properties. The following sections explain the settings that can be configured.

Common settings

authorization.token.enabled To enables/disables the token authorization functionality. If it is false then the token single sign-on flow will not be possible.

authorization.type Property that indicates the type of the delegate authentication. Possible values are: saml, oauth, openid. Each one of them has his own configuration module section. These modules will be enabled by the corresponding property {authorization.type}.enabled=true (for example saml.enabled=true for SAML authentication) that must match with the authorization.type value.

Token signing credentials

authorization.token.signing.kid Key id used to identify the cryptography key used. It is autogenerated on first server start up.

authorization.token.signing.auto-generated Indicates if the keystore was autogenerated on first server start up or not.

authorization.token.signing.store-file Keystore file location contained the KeyPair for signing tokens. The keyStore file that meets these prerequisites:

  • Contains only one keypair.

  • The keypair uses the RSA algorithm.

authorization.token.signing.store-pass Keystore password. If the stored keypair is also protected, then it must be using the same password.

Simple example for use a system autogenerated credentials:

authorization.token.enabled=true
authorization.token.signing.auto-generated=true

Authentication modules

There are three possible authentication types to delegate: SAML, OAuth and OpenID Connect. The following sections detail how to configure each authentication module.

SAML 2.0 delegation

saml.enabled To enables/disables the SAML authorization module.

saml.use-general-signing To use the general keystore indicated on Token signing credentials to sign SAMLRequest

saml.sp-entityid Indicates the SAML Service Provider EntityID.

saml.idp-metadata-url Indicates the SAML Identity Provider metadata by URL.

Note

If this URL is “https” and the SSL certificate of this service is not signed by a known Certificate Authority (CA) like Verisign, Comodo, etc., you have to add it to the TrustStore of the Server. The section Importing the Certificates of Data Sources (SSL/TLS Connections) of the Installation Guide explains how to do this. Otherwise, when the Server connect to this service, the connection will fail because the certificate is not trusted.

saml.idp-metadata-file Indicates the SAML Identity Provider metadata by File. Useful if the SAML Identity Provider metadata by URL is not reachable.

Note

Only use one setting for the identity provider metadata saml.idp-metadata-url or saml.idp-metadata-file.

saml.extract-role.delegate To avoid the role extraction from the assertion, and delegates it to a LDAP search in the Virtual DataPort server. It requires Global LDAP Authentication for the Virtual DataPort Server. Default value is false.

saml.extract-role.field Name of the Attribute on SAML assertion used to extract roles. For example the following piece of code is a SAML attribute named Group that represents the controller role:

<Attribute Name="Group" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
  <AttributeValue>controller</AttributeValue>
</Attribute>

Important

XML Service Provider metadata Endpoint to download: /sso/sso-saml/metadata Useful to register Denodo SSO Server in the external Identy Provider

OAuth 2.0 delegation

oauth.enabled To enables/disables the OAuth authorization module.

oauth.defaultProcessUri Relative URI for application’s callback endpoint . The Identity Provider sends an authorization response to these URIs. The complete URL must be match the one registered on the Idp (usually called Redirect URI). Default value /sso-oauth/oauth-login

oauth.clientId Client identifier generated during the application registration process.

oauth.clientSecret Client secret generated during the application registration process.

oauth.userAuthorizationUri To request their authentication and consent. Used to obtain the authorization code.

oauth.accessTokenUri To exchange the authorization code for an access token.

oauth.issuer The authorization server’s issuer identifier.

oauth.jwkUrl Url to retrieve the public server JSON Web Key (JWK) used to verify the authenticity of access tokens.

oauth.scopes Comma separated scope to send into the request to OAuth authorization server.

oauth.extract-role.delegate To avoid the role extraction from the access token, and delegates it to a LDAP search in the Virtual DataPort server. It requires Global LDAP Authentication for the Virtual DataPort Server. Default value is false.

oauth.extract-role.field Name of the claim will be extracted to obtain roles from the access token.

OpenID Connect delegation

openid.enabled To enables/disables the OpenID Connect authorization module.

openid.defaultProcessUri Relative URI for application’s callback endpoint . The Identity Provider sends an authorization response to these URIs. The complete URL must be match the one registered on the Idp (usually called Redirect URI). Default value /sso-openid/openid-login

openid.clientId Client identifier generated during the application registration process.

openid.clientSecret Client secret generated during the application registration process.

openid.userAuthorizationUri To request their authentication and consent. Used to obtain the authorization code.

openid.accessTokenUri To exchange the authorization code for an access token.

openid.issuer The authorization server’s issuer identifier.

openid.jwkUrl Url to retrieve the public server JSON Web Key (JWK) used to verify the authenticity of access tokens.

openid.scopes Comma separated scope to send into the request to authorization server.

openid.extract-role.delegate To avoid the role extraction from the access token, and delegates it to a LDAP search in the Virtual DataPort server. It requires Global LDAP Authentication for the Virtual DataPort Server. Default value is false.

openid.extract-role.field Name of the claim will be extracted to obtain roles from the access token.