Authentication via SAML 2.0
- sunny.gupta
- Sarabjeet Kaur
SAML (Security Assertion Markup Language) is an XML standard that allows secure web domains to exchange user authentication and authorization data. You can configure Kyvos Reporting (service provider) to use an external identity provider (IdP) to authenticate users over SAML 2.0. No user credentials are stored with Kyvos Reporting and using SAML enables you to add Kyvos Reporting to your organization’s single sign-on environment.
Prerequisites
To enable single logout, configure Kyvos Reporting in SSL mode.
Make the below configurations.
Add the following Cookie Processor tag in the context.xml (located at <Kyvos Reporting Install Root>/Jakarta/conf folder):
<Context> <!– Default set of monitored resources. If one of these changes, the –> <!– web application will be reloaded. –> <WatchedResource>WEB-INF/web.xml</WatchedResource> <WatchedResource>WEB-INF/tomcat-web.xml</WatchedResource> <WatchedResource>${catalina.base}/conf/web.xml</WatchedResource> <!– Uncomment this to disable session persistence across Tomcat restarts –> <!– <Manager pathname=”” /> –> <CookieProcessor sameSiteCookies=”none” /> </Context>Add the secure tag in the cookie-config in web.xml (located @<Kyvos Reporting Install Root>/Jakarta/conf folder)
<session-config> <session-timeout>30</session-timeout> <cookie-config> <http-only>true</http-only> <secure>true</secure> </cookie-config> </session-config>
Kyvos Reporting should run in SSL mode.
Make sure to use valid certificate from signed authorities in Kyvos Reporting application. In case of untrusted certificate or key store, Kyvos Reporting certificate file should be present in Trusted store of your application JVM.
Restart the server after making above changes.
Note
You must use Tomcat 9.0.28 or a higher version.
Configuring SAML
You can configure SAML 2.0 while creating an organization.
In Authentication is Performed by, select External Application.
To configure SAML 2.0, enter the details as:
Property | Description |
External Authenticator | Select SAML 2.0 to authenticate users from a third-party identity provider (IdP) such as OKTA |
Service Provider Settings
Property | Description |
Single Sign-on Return URL | Enter the Assertion Consumer Service (ACS) URL where the users would be redirected after successful login. This is an Kyvos Reporting (service provider) URL usually in the format http://<host/IP>:<port>/<webapp_name>/Acs?IDP=<Identity Provider Name> E.g., http://<localhost:8080/kyvos reporting/Acs?IDP=Custom |
Service Provider Issuer | Enter the URL that would help the Identity Provider (IdP) to identify your Kyvos Reporting instance. This is an Kyvos Reporting URL (sometimes called as “Issuer ID” or “Entity ID”) usually in the format – http://<host/IP>:<port>/<webapp_name> E.g.; http://localhost:8080/Kyvos Reporting |
Service Provider Logout URL | Enter the URL where the SAML logout response will be sent by the IdP. This is an Kyvos Reporting URL usually in the format – http://<host/IP>:<port>/<webapp_name>/Slo |
X.509 Certificate
(Optional) | Copy and paste the PEM encoded x509 certificate file content to establish the trust of Kyvos Reporting by the IdP. You can generate this certificate using your third-party certificate authority. This field is optional. |
Service Provider Key File
(Optional) | Copy and paste the RSA or DSA private key file content to encrypt the connection between IdP and Kyvos Reporting. You can generate this key using your third-party certificate authority. This field is optional. |
Service Provider Metadata | Download the XML file that you can upload to the IdP to automate the configuration process. |
Identity Provider Settings
Property | Description |
Identity Provider | Select the external Identity Provider (IdP) to authenticate users over SAML 2.0, such as Onelogin, OKTA, and more. |
Identity Provider Name | Enter a name to identify the custom IdP. It can be any user-defined name. You need to fill this in when you select ‘Identity Provider’ as ‘Custom.’ |
Identity Provider Issuer | Enter the unique identifier making the SAML Request. It is provided by the IdP (sometimes as “Issuer ID” or “Entity ID”) and is usually in the format of a URL. |
Single Sign-on URL | Enter the URL where Kyvos Reporting would redirect the users to sign in to the IdP service. The URL is provided by the IdP. |
External Authentication Sign-out URL (Optional) | Enter the URL that Kyvos Reporting would call after users sign out. The URL is provided by the IdP. |
X.509 Certificate File (for IdP) | Copy and paste the PEM encoded x509 certificate file content to establish the trust of the IdP by Kyvos Reporting. You can generate this certificate with the help of your IdP service or using your third-party certificate authority. |
Note:
You need to run Kyvos Reporting in HTTPS mode to avoid any conflict with IdP’s SSL certificate
You can enable SSO authentication with a single IdP only
The values you input to configure SAML 2.0 are case sensitive
User Mapping
User mapping needs to be performed to make the whole login process smooth. For example, If you have a user in the identity provider OKTA , then the relevant user information in Kyvos Reporting should be mapped with the user in OKTA application. For example, if you have an account with email id: Admin@KyvosReporting.com in OKTA, then the mapping should be done like: Admin mapped with Admin@Kyvos Reporting.com)
Related content
Copyright Kyvos, Inc. All rights reserved.