SAML Authentication in Jedox
In Jedox, SAML is mainly used for 3rd-party authentication, as used in cloud connections. Authentication may be server-side (In-Memory DB, Jedox Web) and client-side (Excel Add-in).
Activating SAML in Jedox
1) Define CFG_AUTH_SSO as 'saml' in<Install_path>\Jedox Suite\httpd\app\etc\config.php (Windows) or <Install_path>/htdocs/app/etc/config.php (Linux).
2) Add the following lines to <Install_path>\olap\data\palo.ini (Windows) or <Install_path>/Data/palo.ini (Linux):
saml-idp-metadata
saml-authorization
worker "<install_path>\svs\SupervisionServer.exe"
workerlogin informationsaml-idp-metadata refers to the path to metadata XML for identity provider in url form, i.e., web link or file path.
saml-authorization (or saml-authentication) enables SVS processing of SAML logins in the desired way.
An example that designates the identity provider as Azure:
saml-idp-metadata "https://login.microsoftonline.com/1506ab1d-5566-43z5-b5b567f22e31f41/federationmetadata/2018-12/federationmetadata.xml"An example that designates the identity provider as Salesforce:
saml-idp-metadata "https://user-dev-ed.my.salesforce.com/.well-known/samlidp.xml"3)Define the functions OnSAMLUserAuthenticate or OnSAMLUserAuthorize in a supervision script.
For example, the following script demonstrates assigning user "admin" to the admin group, and all other users to the "UserGroup" group:
public function OnSAMLUserAuthorize(&$username, array $attributes, array& $groups) { // bool
if ($username == 'admin') {
$groups = array('admin');
return true;
}
else {
$groups = array('UserGroup')
return true;
}
}4) Restart the Jedox Services.
5) Retrieve the metadata XML (which formally describes your Jedox environment as a service provider) from <your_web_instance>/be/saml.php file (e.g. http://localhost/be/saml.php).
6)Add Jedox as a service provider in your corresponding identity provider with the metadata XML (url or file) received in the previous step, or by manually using information from that file.
The steps above outline basic SAML configuration. Other configuration options are possible; see the table below for more palo.ini keys.
SAML configuration options
| Key name | Argument | Description | Default value |
|---|---|---|---|
| saml-authentication | Enables SAML authentication mode. | ||
| saml-authorization | Enables SAML authorization mode | ||
| saml-certificate | <path to certificate> | Certificate is published in metadata so identity provider can verify the signature or use it to encrypt its responses. | |
| saml-digest-algorithm | Hashing algorithm for signing. | http://www.w3.org/2001/04/xmlenc#sha256 | |
| saml-embed-signature | Embeds SAML request signature inside XML message instead of using it as GET parameter as defined by SAML Redirect standard. | ||
| saml-encrypt-login | Enables encrypting of SAML login requests | ||
| saml-encrypt-logout | Enables encrypting of SAML logout requests | ||
| saml-force-authn | If the key is defined in palo.ini, the identity provider must authenticate the presenter directly rather than rely on a previous security context. | False | |
| saml-idp-metadata | <url> | Metadata XML for the identity provider. Use the URL form, such as https://metadata.example.comIf the metadata is distributed as a file or the server has internet restrictions, place it under the file path:
The parameter in the palo.ini should then be included as |
empty string |
| saml-nameidpolicy | <NameID policy> | SAML NameID policy | urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified |
| saml-privatekey | <path to private key> | Private key is used to sign requests (if enabled by saml-sign-login) and decrypt responses from identity provider. | |
| saml-sign-login | Enables signing the SAML login requests | ||
| saml-sign-logout | Enables signing the SAML logout requests | ||
| saml-signature-algorithm | <algorithm type> | Algorithm used for SAML signatures | http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 |
| saml-use-logout |
Enables SAML identity provider logout Note: to enable single logout, you must also define CFG_AUTH_SLO as true in config.php. See section on logout handling below. |
For more information on palo.ini options, see Configuring palo.ini for the In-Memory Database Server.
Authentication mode
In authentication mode, users, user groups, and group-role mappings must be defined in the Jedox In-Memory DB. Neither group assignment nor the creation of users will be done automatically. During Jedox user login, SVS receives the username and SAML attributes of the already-verified SAML user, and based on those credentials decides whether the user can access the In-Memory DB, returning true or false. If true (standard behavior), the user must already exist in the In-Memory DB system database with proper group assignment. If false, the user will be declined by the In-Memory DB. This behavior is similar to that of SSO authentication mode.
To activate, add saml-authentication to palo.ini.
Authorization mode
This option eliminates the need to define users and groups in the In-Memory DB, instead leaving that task to the SVS script. In this mode, only group-role mappings must be defined directly in the Jedox In-Memory DB. Users are created automatically and need not be created manually in Jedox. The SVS script receives the username and SAML attributes of the already-verified SAML user, and based on those credentials decides whether the user can access the In-Memory DB (returning true or false) and which Jedox groups this user belongs to (the script must fill the $groups variable). This behavior is similar to that of SSO authorization mode.
To activate, add saml-authorization to palo.ini.
Logout handling
Enabling SAML (single) logout means that during logout, you will be logged out of both Jedox and the identity provider. The next time you login to Jedox, you will have to authenticate in the identity provider again. Note: SAML logout may not be supported by the identity provider.
To enable single logout, set CFG_AUTH_SLO in config.php to true. You must also define saml-use-logout in palo.ini.
Updated July 20, 2023