SAML Authentication in Jedox

Jedox offers native support for SAML 2.0. SAML (Security Assertion Markup Language) is an XML-based, open-standard data format for exchanging authentication and authorization data between parties, particularly between an identity provider (IdP), such as OKTA, and a service provider (SP). SAML simplifies the login process by enabling users to access many services with a single sign-on, which is accomplished through SAML elements packets passed between the service provider (Jedox software) and the identity provider (external entity or party), configured based on SP and IdP metadata.

In Jedox, SAML is mainly used for 3rd-party authentication, as used in cloud connections. Authentication may be server-side (In-Memory DB, Jedox Web) and client-side (Excel Add-in).

Important: as of Jedox 2019.2, the entityID consists of the web address + /be/saml.php, e.g. https://localhost/be/saml.php. For existing implementations with older forms of the entityID, metadata may have to be re-uploaded on the IdP side. Excel clients also cannot connect to older SAML configurations that have an entityID other than https://example.com/be/saml.php.

Activating SAML in Jedox

1) Define CFG_AUTH_SSO as 'saml' in<Install_path>\Jedox Suite\httpd\app\etc\config.php (Windows) or <Install_path>/htdocs/app/etc/config.php (Linux).

define('CFG_AUTH_SSO','saml');

2) Add the following lines to <Install_path>\olap\data\palo.ini (Windows) or <Install_path>/Data/palo.ini (Linux):

Copy
saml-idp-metadata
saml-authorization
worker "<install_path>\svs\SupervisionServer.exe"
workerlogin information

saml-idp-metadata refers to the path to metadata XML for identity provider in url form, i.e., web link or file path.

saml-authorization (or saml-authentication) enables SVS processing of SAML logins in the desired way.

An example that designates the identity provider as Azure:

Copy
saml-idp-metadata "https://login.microsoftonline.com/1506ab1d-5566-43z5-b5b567f22e31f41/federationmetadata/2018-12/federationmetadata.xml"

An example that designates the identity provider as Salesforce:

Copy
saml-idp-metadata "https://user-dev-ed.my.salesforce.com/.well-known/samlidp.xml"

3)Define the functions OnSAMLUserAuthenticate or OnSAMLUserAuthorize in a supervision script.

For example, the following script demonstrates assigning user "admin" to the admin group, and all other users to the "UserGroup" group:

Copy
public function OnSAMLUserAuthorize(&$username, array $attributes, array& $groups) { // bool
  if ($username == 'admin') {
    $groups = array('admin');
    return true;
    }
    else {
    $groups = array('UserGroup')
    return true;
    }
}

4) Restart the Jedox Services.

5) Retrieve the metadata XML (which formally describes your Jedox environment as a service provider) from <your_web_instance>/be/saml.php file (e.g. http://localhost/be/saml.php).

6)Add Jedox as a service provider in your corresponding identity provider with the metadata XML (url or file) received in the previous step, or by manually using information from that file.

The steps above outline basic SAML configuration. Other configuration options are possible; see the table below for more palo.ini keys.

SAML configuration options

Key name Argument Description Default value
saml-authentication Enables SAML authentication mode.
saml-authorization Enables SAML authorization mode
saml-certificate <path to certificate> Certificate is published in metadata so identity provider can verify the signature or use it to encrypt its responses.
saml-digest-algorithm Hashing algorithm for signing. http://www.w3.org/2001/04/xmlenc#sha256
saml-embed-signature Embeds SAML request signature inside XML message instead of using it as GET parameter as defined by SAML Redirect standard.
saml-encrypt-login Enables encrypting of SAML login requests
saml-encrypt-logout Enables encrypting of SAML logout requests
saml-force-authn   If the key is defined in palo.ini, the identity provider must authenticate the presenter directly rather than rely on a previous security context. False
saml-idp-metadata <url> Metadata XML for the identity provider. Use the URL form, such as https://metadata.example.com

If the metadata is distributed as a file or the server has internet restrictions, place it under the file path:

  • for Linux: file:///opt/jedox/ps/Data/idp-metadata.xml
  • for Windows: file:///C:/Program Files(x86)/Jedox/Jedox Suite/olap/data/idp-metadata.xml

The parameter in the palo.ini should then be included as saml-idp-metadata:idp-metadata.xml.

empty string
saml-nameidpolicy <NameID policy> SAML NameID policy urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
saml-privatekey <path to private key> Private key is used to sign requests (if enabled by saml-sign-login) and decrypt responses from identity provider.
saml-sign-login Enables signing the SAML login requests
saml-sign-logout Enables signing the SAML logout requests
saml-signature-algorithm <algorithm type> Algorithm used for SAML signatures http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
saml-use-logout

Enables SAML identity provider logout

Note: to enable single logout, you must also define CFG_AUTH_SLO as true in config.php. See section on logout handling below.

For more information on palo.ini options, see Configuring palo.ini for the In-Memory Database Server.

Authentication mode

In authentication mode, users, user groups, and group-role mappings must be defined in the Jedox In-Memory DB. Neither group assignment nor the creation of users will be done automatically. During Jedox user login, SVS receives the username and SAML attributes of the already-verified SAML user, and based on those credentials decides whether the user can access the In-Memory DB, returning true or false. If true (standard behavior), the user must already exist in the In-Memory DB system database with proper group assignment. If false, the user will be declined by the In-Memory DB. This behavior is similar to that of SSO authentication mode.

To activate, add saml-authentication to palo.ini.

Authorization mode

This option eliminates the need to define users and groups in the In-Memory DB, instead leaving that task to the SVS script. In this mode, only group-role mappings must be defined directly in the Jedox In-Memory DB. Users are created automatically and need not be created manually in Jedox. The SVS script receives the username and SAML attributes of the already-verified SAML user, and based on those credentials decides whether the user can access the In-Memory DB (returning true or false) and which Jedox groups this user belongs to (the script must fill the $groups variable). This behavior is similar to that of SSO authorization mode.

To activate, add saml-authorization to palo.ini.

Logout handling

Enabling SAML (single) logout means that during logout, you will be logged out of both Jedox and the identity provider. The next time you login to Jedox, you will have to authenticate in the identity provider again. Note: SAML logout may not be supported by the identity provider.

To enable single logout, set CFG_AUTH_SLO in config.php to true. You must also define saml-use-logout in palo.ini.

Updated July 20, 2023