Supported Authentication Mechanisms
DataTile offers the following authentication methods.
Built-in authentication using the local user repository.
INCUBATING DataTile Global User Identity service.
SAML 2.0 (Security Assertion Markup Language 2.0) is a widely used protocol for identity federation and single sign-on (SSO).
OAuth 2.0 is an authorization framework that enables applications to obtain limited access to user accounts.
OpenID Connect (OIDC) is anO identity layer built on top of the OAuth 2.0 framework. It allows third-party applications to verify the identity of the end-user and to obtain basic user profile information.
The DataTile Administration interface does not provide self-configuration of authentication mechanisms. To make changes, please contact your DataTile account manager and be prepared to provide our engineers with the details listed in this article.
SAML 2.0
IdP (Identity provider) Configuration
Configure your Identity Provider (IdP) with the following DataTile-specific endpoints:
Single Sign On URL / Login URL | ${DT_HOST}/api/saml2/login/datatile |
Recipient URL | ${DT_HOST}/api/saml2/login/datatile |
Destination URL | ${DT_HOST}/api/saml2/login/datatile |
Audience Restriction / Audience URL | ${DT_HOST}/api/saml2/datatile |
SP (Service provider) Configuration on the DataTile side
These details are needed to configure authentication on the DataTile side.
Metadata URL | The URL for your SAML metadata from the IdP. |
Admin Email (optional) | Administrator contact for SAML-related queries.
NOTE! This account, if provided, will be granted full administrative privileges on the DataTile server. |
User Attribute Mapping | Define the SAML attribute names for user's first name, last name, groups, and roles. |
Example of the DataTile configuration
Example of the DataTile configuration
SAML_METADATA_LOCATION: your.host/metadata.xml
SAML_ADMINEMAIL: [email protected]
SAML_FIRSTNAMEFIELD: Given name
SAML_LASTNAMEFIELD: Surname
Defining User Roles and Groups on the IdP Side
You can convey user roles and groups through “attributes” in SAML assertion. An assertion is a package of information that supplies one or more statements made by a SAML authority. Attributes can be used to include specific details about the user, such as their roles and group memberships.
Use the "groups" and "roles" attributes in SAML assertions to convey corresponding details.
<saml2:AttributeStatement>
</saml2:Attribute>
<saml2:Attribute Name="givenname">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">
John
</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="surname">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">
Doe
</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="groups">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">
NAME_OF_THE_GROUP_IN_DATATILE_1 </saml2:AttributeValue>
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">
NAME_OF_THE_GROUP_IN_DATATILE_2 </saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
It is important to ensure that the roles and groups in the assertion match those in DataTile, as unmatched groups and roles will be ignored by the DataTile server.
OAuth 2.0
IdP (Identity provider) Configuration
Set up your OAuth 2.0 Provider with these redirect URIs:
Authorization Endpoint / Login URI | ${DT_HOST} |
Redirection URI / Callback URL | ${DT_HOST}/api/v2.1/user/login |
Token Endpoint / Logout URL | ${DT_HOST} |
Origin URI | ${DT_HOST} |
SP (Service provider) Configuration on the DataTile side
Issuer URI | The URL of your OAuth 2.0 Provider. |
Token Endpoint | URL to request access tokens. |
Client Identifier (Client ID) | A public identifier for apps. |
Client Secret | A secret known only to the application and the IdP service |
Example of the DataTile configuration
Example of the DataTile configuration
OpenID Connect (OIDC)
IdP (Identity provider) Configuration
Set up your OIDC Provider with these redirect URIs:
AUTH0_ISSUER_URI: <https://<auth0-tennant-url>/
# OAUTH_ISSUER_URI:
# KEYCLOAK_ISSUER_URI:
OAUTH_ACCESS_TOKEN_URI: <https://<auth0-tennant-url>/oauth/token
OAUTH_CLIENT_ID: <ID>
OAUTH_CLIENT_SECRET: <SECRET>
OAUTH_USER_INFO_USERNAME_FIELD: email
OpenID Connect (OIDC)
IdP (Identity provider) Configuration
Set up your OIDC Provider with these redirect URIs:
Authorization Endpoint / Login URI |
|
Redirection URI / Callback URL |
|
Token Endpoint / Logout URL |
|
Origin URI |
|
SP (Service provider) Configuration on the DataTile side
OpenId configuration URI | The URL of your Provider OpenId configuration |
Client Identifier (Client ID) | A public identifier for apps. |
Client Secret | A secret known only to the application and the IdP service |
Example of the DataTile configuration
Example of the DataTile configuration
SSO_ENABLED=true
OPENID_ENABLED=true
OPENID_ISSUER_URI=<idp-url.com/.well-known/openid-configuration>
OPENID_CLIENT_ID=<ID>
OPENID_CLIENT_SECRET=<SECRET>
# Additional configuration (not required at most cases)
OPENID_USERNAME_CLAIM=emails
OPENID_CLAIMS=emails,sub,oid,given_name,family_name