Home

Enabling SAML authentication for Unravel Web UI

To use SAML you must configure both your Unravel Host and SAML server.

Configure Unravel host
  1. Add/modify these properties in /usr/local/unravel/etc/unravel.properties.

    com.unraveldata.login.mode=saml 
    com.unraveldata.login.saml.config=/usr/local/unravel/etc/saml.json

    To use SAML with RBAC see Configure LDAP or SAML RBAC Properties.

  2. Edit saml.config.json file

    Property

    Description

    Req

    Example Values

    entryPoint

    Identity provider entrypoint, Ping IdP address (SSO URL).

    Note: Identity provider entrypoint is required to be spec-compliant when the request is signed.

    Yes

    "http://myHost:9080/simplesaml/saml2/idp/SSOService.php"

    issuer

    Name of app that will connect to the saml server.

    Issuer string to supply to identity provider (Environment name). Should match the name configured in Idp.

    Yes

    "unravel-myHost”

    cert

    IDP's public cert to validate auth response signature.

    Note: You retrieve this from saml host.

    Yes

    Idp Cert String

    logoutUrl

    Base address to call with logout requests.

    Default: entryPoint

    No

    "http://myHost:9080/simplesaml/saml2/idp/SingleLogoutService.php"

    logoutEnabled

    If true logs you out from every app.

    No

    false

    unravel_mapping

    Mapping saml auth response attributes to Unravel attributes.

    Yes

    {

    "username":"userid",

    "groups":"ds_groups"

    }

    privateCert

    Unravel private cert string to sign Auth requests.

    No

    Unravel cert string

    Example saml.json

    {
      "entryPoint":"http://myHost.unraveldata.com:9080/simplesaml/saml2/idp/SSOService.php",
    
      "issuer":"localhost",
    
      "logoutUrl":"http://myHost.unraveldata.com:9080/simplesaml/saml2/idp/SingleLogoutService.php",
    
      // generated by saml host
    "cert":"MIIDXTCCAkWgAwIBAgIJALmVVuDWu4NYMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdAcQf2CGAaVfwTTfSlzNLsF2lW/ly7yapFzlYSJLGoVE+OHEu8g5SlNACUEfkXw+5Eghh+KzlIN7R6Q7r2ixWNFBC/jWf7NKUfJyX8qIG5md1YUeT6GBW9Bm2/1/RiO24JTaYlfLdKK9TYb8sG5B+OLab2DImG99CJ25RkAcSobWNF5zD0O6lgOo3cEdB/ksCq3hmtlC/DlLZ/D8CJ+7VuZnS1rR2naQ==",
    "privateCert":"-----BEGIN PRIVATE // generated by unravel node
           KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDEt4Ma2k4DUkoW\nG9QDHUBnY7S/iS/+u2BjPZqUG2JktzYZl30J05zA6i642i2VDn8eUIPHqt2Hw249\nZ3nHKL4YnBVqa3yTfEkdMB/6GSAkoCbnufaD3IsGcFJnlW5raDiT/GZMy+1WnDfJ\npB0/.......vD8kRkcmEi9t3KLmKVy3SO15/YHAhLxP9oTnTFGkPnIqZLRM0Y55UfwbRSZDlgH/\ny9GGmsV5IaIwhepuALJMdkHp\n-----END PRIVATE KEY-----\n",
    
      "unravel_mapping":
       {
         "username":"userid",
           "groups":"ds_groups"
       }
    }

    For Ping, the IdP certificate can be obtained as follows:

    • In the Server Configuration section, select Certificate Management and Digital Signing & XML Decryption Keys & Certificates.

    • Click Export for the IdP certificate that you require.

    • Select Certificate Only and click Next.

    • Click Export, and save the file.

Configure SAML server

Configure the following properties on the SAML server. Replace UNRAVEL_HOST with the fully qualified path or IP address of your Unravel host.

Property

Description

Req

PingFederate Specific configuration

AssertionConsumerService /

ACS Url

http(s)://UNRAVEL_HOST:3000/saml/consume

Yes

Edit a SAML Application

Setting Assertion Consumer Service URLs

Entity Identifier

unravel-Congo24

Yes

Should be same as the issuer in saml.json.

Single Logout Endpoint

http://UNRAVEL_HOST:3000/

Specifying Single Logout Service URL

Single Logout Response Endpoint

http://UNRAVEL_HOST:3000/

No