Applies to:
Denodo 8.0
Last modified on: 26 May 2021
Tags:
Administration
PingFederate
SSO
Security
Solution Manager
In this document you will learn the following:
Once this is completed, single sign-on will be enabled on the Solution Manager and users will only have to login with their required password.
An OAuth/OpenID access token or a SAML assertion usually includes the groups to which this user account belongs; that is, the user account associated with this token/assertion. When the Solution Manager receives the token/assertion, it searches the roles defined in Solution Manager that have the same name. The privileges granted to these roles will be the privileges of this user. Note that not all the privileges defined in the token/assertion have to exist in the Solution Manager.
For OAuth authentication, we are going to do the following:
In PingFederate:
In Solution Manager:
The Denodo Knowledge Base article PingFederate Integration with Denodo explains in detail about configuration that are required to perform to use PingFederate as an OAuth authorization server (AS). You could configure the Data store, Password Validator, Idp Adapter Mapping, Access Token Management, Access Token Mapping, Scopes as mentioned in this knowledge Base article. We are going to use the same configuration that has been configured as part of the knowledge Base article PingFederate Integration with Denodo.
An OAuth client application interacts with an OAuth authorization server to obtain the required access tokens to call OAuth-protected services at the resource server. To configure the OAuth clients, go to Applications → OAuth → Clients. Click Add Client and complete the configuration in the Client window.
OAuth defines several different access grant types. Each grant type reflects different authorization mechanisms as mentioned in the Denodo Knowledge Base article PingFederate Integration with Denodo:
In this example, we are going to configure a client with a grant type as “Authorization code (authorization_code)” by providing the required information such as Client ID, Name, Client Authentication, etc as mentioned in the documentation.
In the configuration “Redirect URIs”, register the Solution Manager as an OAuth application.
For example, if your Solution Manager Web Tool is accessible by https://server:port and the Default process URI for OAuth is /sso-oauth/oauth-login. Hence, you should register the following Redirect URI
https://server:port/sso/sso-oauth/oauth-login.
Also, as we are using the grant type as “Authorization code (authorization_code)”, so ensure to select the checkbox “Authorization code” in the “Allowed Grant Types” and Click Save option.
Follow these steps:
Provide the following:
/sso-oauth/oauth-login
This is the relative URI for an application's callback endpoint. The Identity Provider sends an authorization response to these URIs. The complete URL must match the one registered on the OAuth Authorization Server (usually called Redirect URI). For example, if your Solution Manager Web Tool is accessible by https://server:port and the Default process URI is /sso-oauth/oauth-login, you should register the following Redirect URI https://server:port/sso/sso-oauth/oauth-login.
For OpenID authentication, we are going to do the following:
In PingFederate:
In Solution Manager:
OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.
To begin creating a new policy, navigate to Applications → OAuth → OpenId Connect Policy Management and create a new policy as mentioned in the documentation. In this example, we are going to choose the same access token management instance that we have configured for the OAuth in the “Access Token Manager” list.
We are going to configure the OAuth clients for OpenID. To create a client, go to Applications → OAuth → Clients. Click Add Client and complete the configuration in the Client window.
In the Redirect URI, register the Solution Manager URL with the end point as /sso-openid/openid-login. For example, if your Solution Manager Web Tool is accessible by https://server:port and the Default process URI is /sso-openid/openid-login, you should register the following Redirect URI:
https://server:port/sso/sso-openid/openid-login.
In the OpenID Connect section, Select the OpenID Connect policy which we have configured from the list and Click Save option.
Follow these steps:
https://solution-manager.acme.com:19443/solution-manager-web-tool/Login
Fill this section to configure a authentication against an external OpenID Provider:
https://hostname:<server>/.well-known/openid-configuration
The complete URL must match the one registered on the Authorization Server (usually called Redirect URI). For example, if your Solution Manager Web Tool is accessible by https://server:port and the Default process URI is /sso-openid/openid-login, you should register the following Redirect URI
https://server:port/sso/sso-openid/openid-login.
For SAML authentication, we are going to do the following:
In PingFederate:
In Solution Manager:
As an identity provider (IdP), you manage connection settings to support the exchange of federation-protocol messages such as SAML, WS-Federation, or WS-Trust with a service provider (SP) or security token service (STS) client application at your site.
For SAML authentication, we are going to create a SP connection by navigating Applications → Integration → SP Connections and Click Create Connection.
PingFederate provides quick-configuration templates, available separately with SaaS Connectors, for specific Service Providers. For this example we are not going to use templates and hence we are continuing to the next screen for more options.
To configure a connection for secure browser-based SSO, select the Browser SSO Profiles check box and choose SAML 2.0 as a protocol from the drop-down list.
On the Connection Options tab, you can enable browser-based single sign-on (SSO), Attribute Query, or both for the current connection. We are going to select Browser SSO to create a connection for browser-based SSO.
When creating or modifying service provider (SP) connections, PingFederate allows you to import metadata from an XML file or a metadata URL.
We are going to import the metadata from an XML file. For this, we are going to use the “Download XML metadata file” option available in the SAML Configuration of the Solution Manager. Using this metadata you can add Solution Manager as a Service Provider on your IdP.
To download XML metadata file from Solution Manager, provide a unique value for SAML entity ID for example, https://<hostname>:19443/saml and Base URL as https://<hostname>:19443. Then, click on “Download XML metadata file” option which will download the “samlmetadata.xml” file. We are going to import this file into the “Import Metadata” tab of PingFederate.
As soon as we imported the “samlmetadata.xml” file, we could see the “General Info” updated with required information based on the information we provided in the Solution Manager.
Now the next step is to configure the “Browser SSO”. Browser-based single sign-on (SSO), also known as Browser SSO, relies on a user's web browser and HTTP requests to broker identity-federation messaging in XML or JSON web token (JWT) between an identity provider (IdP) and a service provider (SP). As we have chosen SAML 2.0 protocol, we need to provide required configuration as mentioned in the pingfederate documentation.
Next is to configure the Protocol Settings. The Protocol Settings tab provides the launching point for configuring partner endpoints, message customizations, and other protocol-specific settings for browser-based single sign-on (SSO) connections.
In the Endpoint, ensure to provide the relative path (begin with a forward slash) as mentioned below:
/sso/sso-saml/SSO
Once the user’s identity has been verified, the external identity provider (IdP) sends an authentication response that includes the assertion to the SAML endpoint at https://server:port/sso/sso-saml/SSO, over the HTTP POST Binding for SAML 2.0 standard.
Finally, the Credentials tab provides the launching point for configuring security requirements you might need, depending on the federation protocol you are using and the choices you make.
Note that if the Identity provider metadata URL is “https” and the SSL certificate of this service is not signed by a known Certificate Authority (CA) like Verisign, Comodo, etc., you have to add it to the TrustStore of the Server. The section Importing the Certificates of Data Sources (SSL/TLS Connections) of the Installation Guide explains how to do this. Otherwise, when the Server connects to this service, the connection will fail because the certificate is not trusted.
When you finish creating or modifying a service provider (SP) connection, you can review the connection settings and toggle the connection status. On the Activation & Summary tab, you can review, amend, discard, or save your changes.
Click on Save to save the SP connection and its configuration.
Follow these steps:
Provide the following:
https://<hostname>:19443
Sample SAML assertion
After enabling SAML or OAuth authentication in Solution Manager, you have to create roles that have the same names as the ones you created in PingFederate.
As with LDAP authentication of Virtual DataPort, you do not need to create all the roles that a user of PingFederate may have; only create the ones you need to.
At this moment, the single sign-on configuration should be ready.
Authenticating with Single Sign-On