Skip to main content

Home

Enabling SAML authentication for Unravel Web UI

To use SAML you must configure both your Unravel Host and SAML server.

Configure Unravel host
  1. Stop Unravel

    <Unravel installation directory>/unravel/manager stop
    
  2. Set the following properties:

    <Unravel installation directory>/unravel/manager config properties set com.unraveldata.login.mode saml 
    <Unravel installation directory>/unravel/manager config properties set com.unraveldata.login.saml.config </path/to/saml.json>
    

    Note

    For more SAML Authentication properties, see SAML properties.

  3. Apply the changes.

    <Unravel installation directory>/unravel/manager config apply
    
  4. Edit saml.json file. Following is a sample of saml.json file

    {
      "entryPoint":"http://myHost.unraveldata.com:9080/simplesaml/saml2/idp/SSOService.php",
    
      "issuer":"localhost",
    
      "logoutUrl":"http://myHost.unraveldata.com:9080/simplesaml/saml2/idp/SingleLogoutService.php",
    
      // generated by saml host
    "cert":"MIIDXTCCAkWgAwIBAgIJALmVVuDWu4NYMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdAcQf2CGAaVfwTTfSlzNLsF2lW/ly7yapFzlYSJLGoVE+OHEu8g5SlNACUEfkXw+5Eghh+KzlIN7R6Q7r2ixWNFBC/jWf7NKUfJyX8qIG5md1YUeT6GBW9Bm2/1/RiO24JTaYlfLdKK9TYb8sG5B+OLab2DImG99CJ25RkAcSobWNF5zD0O6lgOo3cEdB/ksCq3hmtlC/DlLZ/D8CJ+7VuZnS1rR2naQ==",
    "privateCert":"-----BEGIN PRIVATE // generated by unravel node
           KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDEt4Ma2k4DUkoW\nG9QDHUBnY7S/iS/+u2BjPZqUG2JktzYZl30J05zA6i642i2VDn8eUIPHqt2Hw249\nZ3nHKL4YnBVqa3yTfEkdMB/6GSAkoCbnufaD3IsGcFJnlW5raDiT/GZMy+1WnDfJ\npB0/.......vD8kRkcmEi9t3KLmKVy3SO15/YHAhLxP9oTnTFGkPnIqZLRM0Y55UfwbRSZDlgH/\ny9GGmsV5IaIwhepuALJMdkHp\n-----END PRIVATE KEY-----\n",
    
      "unravel_mapping":
       {
         "username":"userid",
           "groups":"ds_groups"
       }
    }

    Property

    Description

    Req

    Example Values

    entryPoint

    Identity provider entry point, Ping IdP address (SSO URL).

    Note: Identity provider entry point is required to be spec-compliant when the request is signed.

    Yes

    "http://myHost:9080/simplesaml/saml2/idp/SSOService.php"

    issuer

    Name of app that will connect to the saml server.

    Issuer string to supply to identify provider (Environment name). Should match the name configured in Idp.

    Yes

    "unravel-myHost”

    cert

    IDP's public cert to validate auth response signature.

    Note: You retrieve this from saml host.

    Yes

    Idp Cert String

    logoutUrl

    Base address to call with logout requests.

    Default: entryPoint

    No

    "http://myHost:9080/simplesaml/saml2/idp/SingleLogoutService.php"

    logoutEnabled

    If true logs you out from every app.

    No

    false

    unravel_mapping

    Mapping saml auth response attributes to Unravel attributes.

    Yes

    {

    "username":"userid",

    "groups":"ds_groups"

    }

    privateCert

    Unravel private cert string to sign Auth requests.

    No

    Unravel cert string

    For Ping, the IdP certificate can be obtained as follows:

    1. In the Server Configuration section, select Certificate Management and Digital Signing & XML Decryption Keys & Certificates.

    2. Click Export for the IdP certificate that you require.

    3. Select Certificate Only and click Next.

    4. Click Export, and save the file.

  5. Start Unravel

    <Unravel installation directory>/unravel/manager start
Configure SAML server

Configure the following properties on the SAML server. Replace UNRAVEL_HOST with the fully qualified path or IP address of your Unravel host.

Property

Description

Req

PingFederate Specific configuration

AssertionConsumerService /

ACS Url

http(s)://UNRAVEL_HOST:3000/saml/consume

Yes

Edit a SAML Application

Setting Assertion Consumer Service URLs

Entity Identifier

unravel-Congo24

Yes

Should be the same as the issuer in saml.json.

Single Logout Endpoint

http://UNRAVEL_HOST:3000/

Specifying Single Logout Service URL

Single Logout Response Endpoint

http://UNRAVEL_HOST:3000/

No

Note

To use SAML with RBAC see Configure LDAP or SAML RBAC Properties.

SAML

These properties are required when com.unraveldata.login.mode=saml.