Skip to main content

Home

Enabling SAML authentication for Unravel Web UI

To use SAML, you must configure Unravel host and the SAML server.

Configure Unravel host
  1. Stop Unravel

    <Unravel installation directory>/unravel/manager stop
    
  2. Set the following properties:

    <Unravel installation directory>/unravel/manager config properties set com.unraveldata.login.mode saml 
    <Unravel installation directory>/unravel/manager config properties set com.unraveldata.login.saml.config </absolute_path/saml.json>

    Warning

    You must specify the absolute path to the saml.json file. The relative path causes an exception.

    Note

    For more SAML authentication properties, see SAML properties.

  3. Apply the changes.

    <Unravel installation directory>/unravel/manager config apply
    
  4. Edit the saml.json file. The following is a sample of the saml.json file.

    {
      "entryPoint":"http://myHost.unraveldata.com:9080/simplesaml/saml2/idp/SSOService.php",
    
      "issuer":"localhost",
    
      "logoutUrl":"http://myHost.unraveldata.com:9080/simplesaml/saml2/idp/SingleLogoutService.php",
    
       "callbackUrl":"https://congo51.unraveldata.com:3000/saml/consume",
    
    "cert":"MIIDXTCCAkWgAwIBAgIJALmVVuDWu4NYMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdAcQf2CGAaVfwTTfSlzNLsF2lW/ly7yapFzlYSJLGoVE+OHEu8g5SlNACUEfkXw+5Eghh+KzlIN7R6Q7r2ixWNFBC/jWf7NKUfJyX8qIG5md1YUeT6GBW9Bm2/1/RiO24JTaYlfLdKK9TYb8sG5B+OLab2DImG99CJ25RkAcSobWNF5zD0O6lgOo3cEdB/ksCq3hmtlC/DlLZ/D8CJ+7VuZnS1rR2naQ==",
    
    ...
    }

    Property

    Description

    Req

    Example Values

    entryPoint

    Identity provider entry point, Ping IdP address (SSO URL).

    Note

    The identity provider entry point must be spec-compliant when the request is signed.

    Yes

    http://myHost:9080/simplesaml/saml2/idp/SSOService.php

    issuer

    Name of app that connects to the SAML server.

    Issuer string to supply to identify provider (Environment name). It should match the name configured in Idp.

    Yes

    localhost

    cert

    IDP's public cert to validate auth response signature.

    Note

    Retrieve this from the SAML host.

    The encoding format must be base64 without comment lines.

    Yes

    Idp Cert String

    Important

    You must remove the BEGIN CERTIFICATE and END CERTIFICATE lines and specify the certificate on a single line.

    Example: MIICizCCAfQCCQCY8tKaMc0BMjANBgkqh ... W==

    logoutUrl

    Base address to call with logout requests.

    Default: entryPoint

    No

    http://myHost.unraveldata.com:9080/simplesaml/saml2/idp/SingleLogoutService.php

    callbackUrl

    Value is the same as AssertionConsumerService URL configured in the SAML server. This property is added only when HTTPS is used.

    No

    https://congo51.unraveldata.com:3000/saml/consume

    unravel_mapping

    (Optional)

    Mapping SAML auth response attributes to Unravel attributes.

    Yes

    {

    "username":"userid",

    "groups":"ds_groups"

    }

    privateCert

    Unravel private cert string to sign Auth requests. The Unravel node generates this string.

    Note

    The encoding format must be base64 without comment lines.

    No

    Unravel cert string

    Important

    You must escape the new lines.

    Example: -----BEGIN PRIVATEKEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDEt4Ma2k4DUko\ny9GGmsV5IaIwhepuALJMdkHp-----END PRIVATE KEY-----\n

    For Ping, you can obtain the IdP certificate as follows:

    1. In the Server Configuration section, select Certificate Management and Digital Signing & XML Decryption Keys & Certificates.

    2. Click Export for the IdP certificate that you require.

    3. Select Certificate Only and click Next.

    4. Click Export, and save the file.

  5. Start Unravel

    <Unravel installation directory>/unravel/manager start
Configure SAML server

Configure the following properties on the SAML server. Replace UNRAVEL_HOST with the fully qualified path or IP address of your Unravel host.

Property

Description

Req

PingFederate Specific configuration

AssertionConsumerService /

ACS Url

http(s)://UNRAVEL_HOST:3000/saml/consume

Yes

Edit a SAML Application

Setting Assertion Consumer Service URLs

Entity Identifier

unravel-Congo24

Yes

Should be the same as the issuer in saml.json.

Single Logout Endpoint

http://UNRAVEL_HOST:3000/

Specifying Single Logout Service URL

Single Logout Response Endpoint

http://UNRAVEL_HOST:3000/

No

-

SAML

These properties are required when com.unraveldata.login.mode=saml.