Skip to main content
Skip table of contents

Setting up Single Sign-on (SSO) (SAML 2, OAuth 2.0, OIDC) on your DataTile server

Supported Authentication Mechanisms

DataTile offers the following authentication methods.

  1. Built-in authentication using the local user repository.

  2. INCUBATING DataTile Global User Identity service.

  3. DataTile Internal User Identity For Service Team.

  4. SAML 2.0 (Security Assertion Markup Language 2.0) is a widely used protocol for identity federation and single sign-on (SSO).

  5. OAuth 2.0 is an authorization framework that enables applications to obtain limited access to user accounts.

  6. OpenID Connect (OIDC) is anO identity layer built on top of the OAuth 2.0 framework. It allows third-party applications to verify the identity of the end-user and to obtain basic user profile information.

The DataTile Administration interface does not provide self-configuration of authentication mechanisms. To make changes, please contact your DataTile account manager and be prepared to provide our engineers with the details listed in this article.

SAML 2.0

IdP (Identity provider) Configuration

Configure your Identity Provider (IdP) with the following DataTile-specific endpoints:

Single Sign On URL / Login URL

${DT_HOST}

Entity ID / Auidience URI

${DT_HOST}/saml2/service-provider-metadata/ext

Allowed callback URLs

${DT_HOST}/login/saml2/sso/ext

SP (Service provider) Configuration on the DataTile side

These details are needed to configure authentication on the DataTile side.

Metadata URL

The URL for your SAML metadata from the IdP.

Admin Email (optional)

Administrator contact for SAML-related queries.

This account, if provided, will be granted full administrative privileges on the DataTile server.

User Attribute Mapping

Define the SAML attribute names for user's first name, last name, groups, and roles.

Example of the DataTile configuration

Env.Var

Value

EXT_TYPE

saml

EXT_ISSUER_URI

<CLIENT-METADATA-URL>

EXT_USERNAME_FIELD

email

Defining User Roles and Groups on the IdP Side

You can convey user roles and groups through “attributes” in SAML assertion. An assertion is a package of information that supplies one or more statements made by a SAML authority. Attributes can be used to include specific details about the user, such as their roles and group memberships.

Use the "groups" and "roles" attributes in SAML assertions to convey corresponding details.

XML
<saml2:AttributeStatement>
  </saml2:Attribute>
    <saml2:Attribute Name="givenname">
      <saml2:AttributeValue
          xmlns:xs="http://www.w3.org/2001/XMLSchema"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:type="xs:anyType">
            John
      </saml2:AttributeValue>
    </saml2:Attribute>
    <saml2:Attribute Name="surname">
      <saml2:AttributeValue
          xmlns:xs="http://www.w3.org/2001/XMLSchema"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:type="xs:anyType">
            Doe
      </saml2:AttributeValue>
    </saml2:Attribute>
    <saml2:Attribute Name="groups">
       <saml2:AttributeValue
          xmlns:xs="http://www.w3.org/2001/XMLSchema"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:type="xs:anyType">
             NAME_OF_THE_GROUP_IN_DATATILE_1
       </saml2:AttributeValue>
       <saml2:AttributeValue
          xmlns:xs="http://www.w3.org/2001/XMLSchema"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:type="xs:anyType">
             NAME_OF_THE_GROUP_IN_DATATILE_2
       </saml2:AttributeValue>
    </saml2:Attribute>
</saml2:AttributeStatement>

It is important to ensure that the roles and groups in the assertion match those in DataTile, as unmatched groups and roles will be ignored by the DataTile server.

OpenID Connect (OIDC)

IdP (Identity provider) Configuration

Set up your OIDC Provider with these redirect URIs:

Single Sign On URL / Login URL

${DT_HOST}

Allowed callback URLs

${DT_HOST}/login/oauth2/code/ext

SP (Service provider) Configuration on the DataTile side

OpenId configuration URI

The URL of your Provider OpenId configuration

Client Identifier (Client ID)

A public identifier for apps.

Client Secret

A secret known only to the application and the IdP service

Example of the DataTile configuration

Required configuration

Env.Var

Value

EXT_TYPE

oid

EXT_CLIENT_ID

<client-id>

EXT_CLIENT_SECRET

<secret>

EXT_ISSUER_URI

https://<idp-url.com/.well-known/openid-configuration>

# Additional configuration (not required at most cases)

Env.Var

Default Value

EXT_RESPONSE_MODE

form_post

EXT_RESPONSE_TYPE

code id_token

EXT_USERNAME_CLAIM

email

EXT_CLAIMS

email

EXT_SCOPE

openid,email

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.