Skip to main content
All CollectionsAdministration
Setting up Single Sign-on (SSO) (SAML 2, OAuth 2.0, OIDC) on your DataTile server
Setting up Single Sign-on (SSO) (SAML 2, OAuth 2.0, OIDC) on your DataTile server
Updated over a week ago

Supported Authentication Mechanisms

DataTile offers the following authentication methods.

  1. Built-in authentication using the local user repository.

  2. INCUBATING DataTile Global User Identity service.

  3. SAML 2.0 (Security Assertion Markup Language 2.0) is a widely used protocol for identity federation and single sign-on (SSO).

  4. OAuth 2.0 is an authorization framework that enables applications to obtain limited access to user accounts.

  5. OpenID Connect (OIDC) is anO identity layer built on top of the OAuth 2.0 framework. It allows third-party applications to verify the identity of the end-user and to obtain basic user profile information.

The DataTile Administration interface does not provide self-configuration of authentication mechanisms. To make changes, please contact your DataTile account manager and be prepared to provide our engineers with the details listed in this article.

SAML 2.0

IdP (Identity provider) Configuration

Configure your Identity Provider (IdP) with the following DataTile-specific endpoints:

Single Sign On URL / Login URL

${DT_HOST}/api/saml2/login/datatile

Recipient URL

${DT_HOST}/api/saml2/login/datatile

Destination URL

${DT_HOST}/api/saml2/login/datatile

Audience Restriction / Audience URL

${DT_HOST}/api/saml2/datatile

SP (Service provider) Configuration on the DataTile side

These details are needed to configure authentication on the DataTile side.

Metadata URL

The URL for your SAML metadata from the IdP.

Admin Email (optional)

Administrator contact for SAML-related queries.

NOTE! This account, if provided, will be granted full administrative privileges on the DataTile server.

User Attribute Mapping

Define the SAML attribute names for user's first name, last name, groups, and roles.

Example of the DataTile configuration

  • SAML_METADATA_LOCATION: your.host/metadata.xml

  • SAML_ADMINEMAIL: [email protected]

  • SAML_FIRSTNAMEFIELD: Given name

  • SAML_LASTNAMEFIELD: Surname

Defining User Roles and Groups on the IdP Side

You can convey user roles and groups through “attributes” in SAML assertion. An assertion is a package of information that supplies one or more statements made by a SAML authority. Attributes can be used to include specific details about the user, such as their roles and group memberships.

Use the "groups" and "roles" attributes in SAML assertions to convey corresponding details.

<saml2:AttributeStatement> 
  </saml2:Attribute> 
    <saml2:Attribute Name="givenname">
       <saml2:AttributeValue           xmlns:xs="http://www.w3.org/2001/XMLSchema"           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"           xsi:type="xs:anyType">
             John
       </saml2:AttributeValue>
     </saml2:Attribute>
     <saml2:Attribute Name="surname">
       <saml2:AttributeValue           xmlns:xs="http://www.w3.org/2001/XMLSchema"           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"           xsi:type="xs:anyType">
             Doe
       </saml2:AttributeValue> 
    </saml2:Attribute>
    <saml2:Attribute Name="groups"> 
       <saml2:AttributeValue           xmlns:xs="http://www.w3.org/2001/XMLSchema"           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"           xsi:type="xs:anyType">
              NAME_OF_THE_GROUP_IN_DATATILE_1        </saml2:AttributeValue>
        <saml2:AttributeValue           xmlns:xs="http://www.w3.org/2001/XMLSchema"           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"           xsi:type="xs:anyType"> 
             NAME_OF_THE_GROUP_IN_DATATILE_2           </saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>

It is important to ensure that the roles and groups in the assertion match those in DataTile, as unmatched groups and roles will be ignored by the DataTile server.

OAuth 2.0

IdP (Identity provider) Configuration

Set up your OAuth 2.0 Provider with these redirect URIs:

Authorization Endpoint / Login URI

${DT_HOST}

Redirection URI / Callback URL

${DT_HOST}/api/v2.1/user/login

Token Endpoint / Logout URL

${DT_HOST}

Origin URI

${DT_HOST}

SP (Service provider) Configuration on the DataTile side

Issuer URI

The URL of your OAuth 2.0 Provider.

Token Endpoint

URL to request access tokens.

Client Identifier (Client ID)

A public identifier for apps.

Client Secret

A secret known only to the application and the IdP service

Example of the DataTile configuration

OpenID Connect (OIDC)

IdP (Identity provider) Configuration

Set up your OIDC Provider with these redirect URIs:

AUTH0_ISSUER_URI: <https://<auth0-tennant-url>/
# OAUTH_ISSUER_URI:
# KEYCLOAK_ISSUER_URI:
OAUTH_ACCESS_TOKEN_URI: <https://<auth0-tennant-url>/oauth/token
OAUTH_CLIENT_ID: <ID>
OAUTH_CLIENT_SECRET: <SECRET>
OAUTH_USER_INFO_USERNAME_FIELD: email

OpenID Connect (OIDC)

IdP (Identity provider) Configuration

Set up your OIDC Provider with these redirect URIs:

Authorization Endpoint / Login URI

${DT_HOST}

Redirection URI / Callback URL

${DT_HOST}/api/v2.1/user/login

Token Endpoint / Logout URL

${DT_HOST}

Origin URI

${DT_HOST}

SP (Service provider) Configuration on the DataTile side

OpenId configuration URI

The URL of your Provider OpenId configuration

Client Identifier (Client ID)

A public identifier for apps.

Client Secret

A secret known only to the application and the IdP service

Example of the DataTile configuration

SSO_ENABLED=true
OPENID_ENABLED=true

OPENID_ISSUER_URI=<idp-url.com/.well-known/openid-configuration>
OPENID_CLIENT_ID=<ID>
OPENID_CLIENT_SECRET=<SECRET>

# Additional configuration (not required at most cases)
OPENID_USERNAME_CLAIM=emails
OPENID_CLAIMS=emails,sub,oid,given_name,family_name

Did this answer your question?