home/Data quality/Aperture Data Studio v2/Set up/Configure SAML authentication

Configure SAML authentication

Overview

SAML (Security Assertion Markup Language) is an open standard that allows you to use centralized user management to authenticate your users across multiple web applications - this is known as single sign-on (SSO).

Centralized user management is typically handled via an identity provider (IdP), and each application that you authenticate with is known as a service provider (SP).

Aperture Data Studio has the capability to act as one of those service providers for SAML V2.0.

Configuration

The steps below will allow you to configure Aperture Data Studio with SAML SSO.

Configuring Data Studio as the SP

To enable SAML for SSO in Data Studio, go to Settings > Security and under SAML properties check Enabled.

You will then need to configure the following mandatory settings:

  • Identity provider endpoint URL: The URL at which to authenticate the user.
  • Certificate fingerprint: The fingerprint of the IdP signing certificate. This can be either formatted or unformatted.
  • Certificate fingerprint algorithm: The algorithm that was used to generate the certificate fingerprint that is used by the IdP.

Additionally, the following optional settings can be configured:

  • Identity provider logout URL: If your IdP supports single logout (SLO), this URL is where the IdP will expect to receive logout requests and responses.

  • Sign authentication requests: If you would like to sign your authentication requests, you can enable this switch and configure a valid certificate and key file in Data Studio.

  • Advanced settings:

    • Name identifier format: This specifies the format requested by Data Studio for the user identifier from the IdP. The user identifier maps the authenticated user to a user in Data Studio (using their username). For example, if users in Data Studio have their email address as their username, the name identifier format should be set to E-mail so that the IdP returns their email as their identifier and they are successfully mapped to their user in Data Studio.

    • Communication binding: The communication binding is the communication method between Data Studio and the IdP when making an authentication request. This can be set to either HTTP Redirect (default) or HTTP POST.

You can also customize the login button label and login message which are displayed on the login screen.

Configuring the Identity Provider (IdP)

To configure the IdP, you must provide the following values found in the SAML properties in Data Studio:

  • Service provider entity ID: An identifier representing this instance of Data Studio as the SP within the IdP. By default, this is set to https://datastudio.experianaperture.io and does not need to be changed unless you have multiple instances of Data Studio that are all configured for SSO using the same IdP.

  • Assertion consumer service (ACS) URL: This is where the IdP will redirect to with its authentication response, and should be set to <base Data Studio URL>/saml/auth.

The IdP will then also require the following configuration steps:

  • If you set up Data Studio to sign your authentication requests then you will also need to provide the IdP with that same certificate.

  • If a sign-on URL is required by the IdP then this should be set to the base address of your Data Studio server.

  • If your IdP supports single logout (SLO), you should specify the single logout endpoint URL of Data Studio so that the logout request is correctly received. This will be <base Data Studio URL>/saml/logout.

See the troubleshooting section for help with configuration errors.

Creating new Data Studio users

Before signing into Data Studio via the IdP, users have to have an account set up in Data Studio with a username that matches the name identifier that's returned by the IdP.

To create a new SSO user, you can use Data Studio's super admin account, which will continue to use internal authentication once SAML is enabled. To sign in to this account, navigate to <base Data Studio URL>/samladmin. From there, use the default super admin password (or your own custom password if it has already been changed) and create new users in the standard way.

Should SAML SSO ever be disabled, all users created while it was enabled will still be able to use internal Data Studio authentication. However, they will require a default password set up for them by an administrator that they can then change after login.

Changes to user settings

Once SAML SSO has been enabled, the following settings will no longer apply to or be seen by any user apart from the super admin. This is because these settings and policies are now controlled by the IdP.

  • Password policy
  • Maximum login attempts
  • Account lockout time period (minutes)

Users will also no longer have the option to change their password or have their account locked/unlocked, as this will also be controlled within the IdP.

The settings below will still apply to all users:

  • Login session timeout (minutes)
  • Restrict one session per user

Logging in and out of Data Studio

Logging in

Once SAML has been enabled in Data Studio for SSO, and users have been created in Data Studio that match with the users contained in the IdP, they can access Data Studio using the base address of the Data Studio server as well as any specific URL they wish to access (e.g. <base Data Studio URL>/1/3/view).

Upon doing so, the user will be redirected to the IdP to authenticate. If this is successful, they will be redirected back to Data Studio and successfully logged in.

In addition to the login session timeout, if a session lifetime is specified by the IdP then it will be respected.

When the session from the IdP is about to expire, a warning will appear in Data Studio suggesting that the user re-authenticates before the session expires to prevent any loss of work.

Logging out

To log out of Data Studio, there are two available options.

  • Select Switch user in Data Studio‚Äôs main user menu. This will terminate the active Data Studio session and redirect the user to the IdP. The options at this point are IdP-dependent but may include signing in as a different user or signing out of the IdP session entirely.

  • Single Logout (SLO): SLO provides the ability to initiate the logout process simultaneously for all applications where the user has logged in via SSO, as opposed to logging out from each application individually. If your IdP supports SLO, and you initiate logout from the IdP or another SP, your currently active Data Studio session will be terminated.