Home

Enabling SAML authentication for Unravel Web UI

To use SAML you must configure both your Unravel Host and SAML server.

Configure Unravel host
  1. Add/modify these properties in unravel.properties.

    com.unraveldata.login.mode=saml 
    com.unraveldata.login.saml.config=/usr/local/unravel/etc/saml.json
    

    Note

    For more SAML Authentication properties, see SAML properties.

  2. Edit saml.json file

    Property

    Description

    Req

    Example Values

    entryPoint

    Identity provider entrypoint, Ping IdP address (SSO URL).

    Note: Identity provider entrypoint is required to be spec-compliant when the request is signed.

    Yes

    "http://myHost:9080/simplesaml/saml2/idp/SSOService.php"

    issuer

    Name of app that will connect to the saml server.

    Issuer string to supply to identity provider (Environment name). Should match the name configured in Idp.

    Yes

    "unravel-myHost”

    cert

    IDP's public cert to validate auth response signature.

    Note: You retrieve this from saml host.

    Yes

    Idp Cert String

    logoutUrl

    Base address to call with logout requests.

    Default: entryPoint

    No

    "http://myHost:9080/simplesaml/saml2/idp/SingleLogoutService.php"

    logoutEnabled

    If true logs you out from every app.

    No

    false

    unravel_mapping

    Mapping saml auth response attributes to Unravel attributes.

    Yes

    {

    "username":"userid",

    "groups":"ds_groups"

    }

    privateCert

    Unravel private cert string to sign Auth requests.

    No

    Unravel cert string

    Example saml.json

    {
      "entryPoint":"http://myHost.unraveldata.com:9080/simplesaml/saml2/idp/SSOService.php",
    
      "issuer":"localhost",
    
      "logoutUrl":"http://myHost.unraveldata.com:9080/simplesaml/saml2/idp/SingleLogoutService.php",
    
      // generated by saml host
    "cert":"MIIDXTCCAkWgAwIBAgIJALmVVuDWu4NYMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdAcQf2CGAaVfwTTfSlzNLsF2lW/ly7yapFzlYSJLGoVE+OHEu8g5SlNACUEfkXw+5Eghh+KzlIN7R6Q7r2ixWNFBC/jWf7NKUfJyX8qIG5md1YUeT6GBW9Bm2/1/RiO24JTaYlfLdKK9TYb8sG5B+OLab2DImG99CJ25RkAcSobWNF5zD0O6lgOo3cEdB/ksCq3hmtlC/DlLZ/D8CJ+7VuZnS1rR2naQ==",
    "privateCert":"-----BEGIN PRIVATE // generated by unravel node
           KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDEt4Ma2k4DUkoW\nG9QDHUBnY7S/iS/+u2BjPZqUG2JktzYZl30J05zA6i642i2VDn8eUIPHqt2Hw249\nZ3nHKL4YnBVqa3yTfEkdMB/6GSAkoCbnufaD3IsGcFJnlW5raDiT/GZMy+1WnDfJ\npB0/.......vD8kRkcmEi9t3KLmKVy3SO15/YHAhLxP9oTnTFGkPnIqZLRM0Y55UfwbRSZDlgH/\ny9GGmsV5IaIwhepuALJMdkHp\n-----END PRIVATE KEY-----\n",
    
      "unravel_mapping":
       {
         "username":"userid",
           "groups":"ds_groups"
       }
    }

    For Ping, the IdP certificate can be obtained as follows:

    • In the Server Configuration section, select Certificate Management and Digital Signing & XML Decryption Keys & Certificates.

    • Click Export for the IdP certificate that you require.

    • Select Certificate Only and click Next.

    • Click Export, and save the file.

Configure SAML server

Configure the following properties on the SAML server. Replace UNRAVEL_HOST with the fully qualified path or IP address of your Unravel host.

Property

Description

Req

PingFederate Specific configuration

AssertionConsumerService /

ACS Url

http(s)://UNRAVEL_HOST:3000/saml/consume

Yes

Edit a SAML Application

Setting Assertion Consumer Service URLs

Entity Identifier

unravel-Congo24

Yes

Should be same as the issuer in saml.json.

Single Logout Endpoint

http://UNRAVEL_HOST:3000/

Specifying Single Logout Service URL

Single Logout Response Endpoint

http://UNRAVEL_HOST:3000/

No

Note

To use SAML with RBAC see Configure LDAP or SAML RBAC Properties.