This requires Admin privileges to setup.
Similar to OpenID Connect, iDashboards supports the ability to configure an external identity provider to manage user authentication with a Security Assertion Markup Language 2.0 (SAML) identity provider. OIDC has become the more popular implementation choice for communicating with an identity provider and most commercial identity providers provide both an OIDC and SAML interface. Commercial SAML identity providers including Shibboleth, Okta, Auth0 and OneLogin.
A “LOG IN WITH <Custom Name>” button will appear on the initial login page when authentication is enabled. When a user clicks this button, authentication will be ‘handed-off to the identity provider to establish the identity of the user. Once the identity provider has established the user’s identity; their identity information will be supplied to iDashboards.
<picture>
In SAML 2.0 terminology, the entity requesting authentication from the identity provider is called the service provider. In this case, iDashboards is the service provider. As with OIDC, an application is generally created with the identity provider and information about iDashboards is provided to the identity provider and information about the identity provider is used to configure SAML authentication in iDashboards.
13.3.4.1 Configuring the Identity Provider
- The Identity Provider Name is simply a name given to the configuration that appears on the LOG IN WITH button on the initial login page when authentication is enabled. The following URLs are obtained from the identity provider and as specifically associated with the iDashboards application.
- Issuer URL – This is the entity ID of the identity provider
- Single Sign-On URL – This is the URL to which iDashboards issues its initial authentication request. It is sometimes referred to as the login URL.
- X.509 Certificate – Most identity providers require authentication requests to be signed
using an X.509 certificate. The signing algorithm that is used to sign the requests is also
provided by the identity provider.
13.3.4.2 Service Provider Configuration
iDashboards is considered the service provider when configuring the identity provider.
iDashboards provides the following values to be supplied to the identity provider:
iDashboards Administrator’s Manual 81
Callback Assertion Consumer Service (ACS) URL – This is the URL to which the identity provider sends identity information after the user has been authenticated. It is sometimes referred to as the Application Callback URL or Single Sign-On URL.
Audience – This is entity ID of the service provider.
Recipient – For iDashboards, this is just the ACS URL.
ACS URL Validator – This is a regular expression used by some identity providers to ensure that responses are issued to the correct URL.
iDashboards uses the emailAddress NameIDFormat, which indicates the information returned by the identity provider to identify a user.
13.3.4.3 User Authentication Mappings
Once the user’s identity has been established by the identity provider (usually in the form of an identity-provider specific login screen), the iDashboards user that is associated with the authenticated user must be established. This association is determined using authentication mappings. To associate an authenticated user with an iDashboards user, the authentication mappings are examined to determine a matching iDashboards user based on the email address returned by the identity provider. This will then be the iDashboards user that will be associated with the user that has been authenticated by the identity provider. Users may establish their own authentication mapping via the User Settings in the Viewer or the Builder. Once they have established the mapping via the Settings, the email address provided by the identity provider will be populated in the mapping associated with the user.
13.3.4.4 Single Sign-On
A special URL can be used to bypass the login screen and immediately contact the identity
provider for authentication. If the URL to access the application is:
http://dashboard.mycompany.com/idashboards/
Then the following URL will automatically log the user into iDashboards:
http://dashboard.mycompany.com/idashboards/?sso=$auth=saml
When iDashboards is invoked with this type of URL, the user is authenticated with the
identity provider. The associated iDashboards user is then determined based on the
authentication mappings and the identity information returned by the identity provider
For More Information:
- iDashboards Admin Manual 13.3.4 SAML 2.0 Single Sign-On
- The SAML offering we created is based on OneLogin API, Additional Documentation for OneLogin.
PHP | Python | Ruby | Java | .NET |
If the above is unable to resolve the issue, then please contact iDashboards Support for further assistance.
Comments
0 comments
Please sign in to leave a comment.