Single sign-on
Required Permission: Settings management (Read more about permissions in User Groups)
Table of Contents
Graphlytic supports Single sign-on integration with external Identity Providers (IdP) using the SAML2 protocol.
1. How it works
When the SAML2 integration is enabled the Login page includes an SSO login option (the title of the button is configurable).
After clicking on the "External SSO" option the user is redirected to the login page of the Identity Provider.
After successful login on the Identity Provider side and redirect back to the Graphlytic application the user is logged into the application with these possible scenarios:
The user already exists in Graphlytic: then the user is logged into the application and his user group mappings are updated according to the information received from IdP and mapping defined in the SAML2 integration configuration.
The user is not yet created in Graphlytic: then the user is created (if the licensed amount of users was not reached yet) and his user group mappings are updated according to the information received from IdP and mapping defined in the SAML2 integration configuration. In order to correctly log in, a user has to be assigned to at least one User Group based on group (LDAP) mapping. If you want to make sure that the user can always log in, please fill out the "Fallback group", which will be assigned to users with no group during the identity provisioning process.
2. Configuration
2.1. Identity Provider connection configuration
To update SSO settings use the Single Sign-On panel on the Settings page.
UI field | Example value | Description |
|---|---|---|
Single Sign-On enabled | Switch for turning on/off the Single Sign-On functionality. | |
Login Label | Sign in with SSO | Title of the Login page button. If missing the Name of IdP will be used instead. |
Verifying certificate | -----BEGIN CERTIFICATE----- MIIDBTCCAe2gAwIBAgIQH4Fl... | IdP certificate for IdP signing verification. This certificate is used to verify that the response is correct and that it was sent from the contacted IdP. |
Decryption certificate | -----BEGIN CERTIFICATE----- MIIDBTCCAe2gAwIBAgIQH4FI... | IdP certificate for decryption. Can be empty for no encryption of communication with the IdP. If defined, this certificate is used to decrypt messages from IdP. |
IdP entity ID | active_directory_id | The IdP entity identifier (Asserting Party Entity Id). |
Graphlytic entity ID | graphlytic_idp_id | The local application (Graphlytic) ID for IdP communication. Has to be created in the IdP configuration. |
SSO Redirect URL | https://idp_url_for_login.com/sso | Login redirect URL. The user will be redirected to this location during the login workflow. |
Assertion Consumer URL | https://domain.com/login/saml2/sso/idpid | Assertion URL where the successfully logged-in user is redirected back from the IdP. If not defined a default value is used (this value is sent in the IdP request and some IdPs are automatically reading and using this value). |
Group claim | claims/role | The claim name in the returned XML where the user group mappings are returned. |
Fallback group | Name_of_t he_group | Name of a Graphlytic user group that will be used if no mapping was successful. If the Fallback group is not configured or the group doesn't exist in Graphlytic then such user (with no user groups) is not created in Graphlytic (to minimize license consumption). |
2.2. User groups mapping
Mapping of LDAP groups stored in the Identity Provider to Graphlytic groups is done in the User Groups management. Every Graphlytic user group can have assigned multiple LDAP groups that will be used to map them to the Graphlytic groups during the user's login process.
2.3. Default Configuration
The default configuration can be overridden in the graphlytic.conf file (application needs to be restarted after any change in this conf file).
More information can be found on the Configuration page.
3. Example configuration of Azure Active Directory
Azure active directory can be used as an SSO provider with Graphlytic.
We assume the tenant, app registration, user, and group are successfully created using Microsoft manual.
Atribute | Example Value | Description |
|---|---|---|
Verifying Certificate | -----BEGIN CERTIFICATE----- MIIDBTCCAe2gAwIBAgIQH4FlYAM+UJlF0G3vy9ZrhTANBgkq………. | Depending on your infrastructure, there could be a need to set the certificate needed to verify the SAML assertion. See chapter "3.1. VERIFYING CERTIFICATE" for more information |
IdP entity ID | https://sts.windows.net/87654321-4321-4321-4321-3d7hh723f7/ | Should be in the form of "https://sts.windows.net/{TENANT_ID}/" In our example {TENANT_ID} is 87654321-4321-4321-4321-3d7hh723f7 Please do not forget the slash “/” and the end of the IdP entity ID string |
Graphlytic entity ID | spn:12345678-1234-1234-1234-971777321736 | Should be in the form of "spn:{Application_ID}", in our example {Application_ID} = 12345678-1234-1234-1234-971777321736 |
SSO Redirect URL | https://login.microsoftonline.com/87654321-4321-4321-4321-3d59c8323023/saml2 | SAML-P sign-on endpoint |
Assertion Consumer URL | https://my-domain.com/login/saml2/sso/azuread | The url must end with /login/saml2/sso/{Name of IdP} This value is set in Azure Active Directory → App Registration → Redirect URIs |
3.1. VERIFYING CERTIFICATE
Verifying certificate is part of the “Federation metadata document” that can be downloaded using the link in the Endpoints panel (see picture below).
In the metadata XML file the certificate is located under: EntityDescriptor → Signature → KeyInfo → X509Data → X509Certificate
Please use the whole text beginning with -----BEGIN CERTIFICATE----- and ending with -----END CERTIFICATE-----
3.2. TENANT ID
3.3. APPLICATION ID
3.4. SAML-P
3.5. REDIRECT URLS
