Single sign-on

Required Permission: Settings management (Read more about Permissions)

Table of Contents

Graphlytic supports Single sign-on integration with external Identity Providers using the SAML2 protocol.

How it works

When the SAML2 integration is enabled (configured in graphlytic.conf or using environment variables) the Login page includes an SSO login option (title of the button is configurable).

images/download/thumbnails/44508792/login.png

After clicking on the "External SSO" option the user is redirected to the login page of the IdP.

After successful login on the IdP side and redirect back to the Graphlytic application the user is logged into the application with these possible scenarios:

  1. The user already exists in Graphlytic: then the user is logged into the application and his user group mappings are updated according to the information received from IdP and mapping defined in the SAML2 integration configuration.

  2. The user is not yet created in Graphlytic: then the user is created (if the licensed amount of users was not reached yet) and his user group mappings are updated according to the information received from IdP and mapping defined in the SAML2 integration configuration. In order to correctly log in, a user has to be assigned to at least one User Group based on group (LDAP) mapping. If you want to make sure that the user can always log in, please fill out the "Fallback group", which will be assigned to users with no group during the identity provisioning process.

Configuration

IdP connection configuration

To update SSO settings use the Single Sign-On panel on the Settings page.

images/download/attachments/44508792/image2021-4-7_17-58-38.png

UI field

Example value

Description

Single Sign-On enabled

Switch for turning on/off the Single Sign-On functionality.

Name of IdP

External SSO

Title of the Login page button.

Verifying certificate

/usr/local/graphlytic/conf/idp-pub

Path to the IdP certificate for IdP signing verification. This certificate is used to verify that the response is correct and that it was sent from the contacted IdP.

Decryption certificate

/usr/local/graphlytic/conf/enc-pub

Path to the IdP certificate for decryption. Can be empty for no encryption of communication with the IdP. If defined, this certificate is used to decrypt messages from IdP.

IdP entity ID

active_directory_id

The IdP entity identifier (Asserting Party Entity Id).

Graphlytic entity ID

graphlytic_idp_id

The local application (Graphlytic) ID for IdP communication. Has to be created in the IdP configuration.

SSO Redirect URL

https://idp_url_for_login.com/sso

Login redirect URL. The user will be redirected to this location during the login workflow.

Assertion Consumer URL

https://domain.com/login/saml2/sso

Assertion URL where the successfully logged-in user is redirected back from the IdP. If not defined a default value is used (this value is sent in the IdP request and some IdPs are automatically reading and using this value).

Group claim

claims/role

The claim name in the returned XML where the user group mappings are returned.

Fallback group

Name_of_the_group

Name of a Graphlytic user group that will be used if no mapping was successful. If the Fallback group is not configured or the group doesn't exist in Graphlytic then such user (with no user groups) is not created in Graphlytic (to minimize license consumption).

User groups mapping

Mapping of LDAP group stored in the IdP to Graphlytic groups is done in the Groups management. Every Graphlytic user group can have assigned multiple LDAP groups that will be used to map them to the Graphlytic groups during the user's login process.

images/download/attachments/44508792/ldap_groups.png

Default Configuration

The default configuration can be overridden in the graphlytic.conf file (application needs to be restarted after any change in this conf file).

More information can be found on the Configuration page.