Setting up Single Sign-on (SSO) (SAML 2, OAuth 2.0, OIDC) on your DataTile server
Supported Authentication Mechanisms
DataTile offers the following authentication methods.
Built-in authentication using the local user repository.
INCUBATING DataTile Global User Identity service.
DataTile Internal User Identity For Service Team.
SAML 2.0 (Security Assertion Markup Language 2.0) is a widely used protocol for identity federation and single sign-on (SSO).
OAuth 2.0 is an authorization framework that enables applications to obtain limited access to user accounts.
OpenID Connect (OIDC) is anO identity layer built on top of the OAuth 2.0 framework. It allows third-party applications to verify the identity of the end-user and to obtain basic user profile information.
The DataTile Administration interface does not provide self-configuration of authentication mechanisms. To make changes, please contact your DataTile account manager and be prepared to provide our engineers with the details listed in this article.
SAML 2.0
IdP (Identity provider) Configuration
Configure your Identity Provider (IdP) with the following DataTile-specific endpoints:
Single Sign On URL / Login URL |
|
---|---|
Entity ID / Auidience URI |
|
Allowed callback URLs |
|
SP (Service provider) Configuration on the DataTile side
These details are needed to configure authentication on the DataTile side.
Metadata URL | The URL for your SAML metadata from the IdP. |
---|---|
Admin Email (optional) | Administrator contact for SAML-related queries. This account, if provided, will be granted full administrative privileges on the DataTile server. |
User Attribute Mapping | Define the SAML attribute names for user's first name, last name, groups, and roles. |
Defining User Roles and Groups on the IdP Side
You can convey user roles and groups through “attributes” in SAML assertion. An assertion is a package of information that supplies one or more statements made by a SAML authority. Attributes can be used to include specific details about the user, such as their roles and group memberships.
Use the "groups" and "roles" attributes in SAML assertions to convey corresponding details.
<saml2:AttributeStatement>
</saml2:Attribute>
<saml2:Attribute Name="givenname">
<saml2:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:anyType">
John
</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="surname">
<saml2:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:anyType">
Doe
</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="groups">
<saml2:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:anyType">
NAME_OF_THE_GROUP_IN_DATATILE_1
</saml2:AttributeValue>
<saml2:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:anyType">
NAME_OF_THE_GROUP_IN_DATATILE_2
</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
It is important to ensure that the roles and groups in the assertion match those in DataTile, as unmatched groups and roles will be ignored by the DataTile server.
OpenID Connect (OIDC)
IdP (Identity provider) Configuration
Set up your OIDC Provider with these redirect URIs:
Single Sign On URL / Login URL |
|
---|---|
Allowed callback URLs |
|
SP (Service provider) Configuration on the DataTile side
OpenId configuration URI | The URL of your Provider OpenId configuration |
---|---|
Client Identifier (Client ID) | A public identifier for apps. |
Client Secret | A secret known only to the application and the IdP service |