SAML Authentication in Jedox

Jedox offers native support for SAML 2.0 (Security Assertion Markup Language), which is an XML-based, open standard data format for exchanging authentication and authorization data between parties, particularly between an identity provider (IdP), such as OKTA and ADFS, and a service provider (SP). SAML simplifies the login process by enabling users to access many services with a single sign-on (SSO), which is accomplished through SAML elements packets passed between the service provider (Jedox software) and the identity provider (external entity or party), configured based on SP and IdP metadata.

Single sign-on (SSO) allows you to sign on with one set of credentials and gain access to multiple applications and services. SSO increases security and provides a better user experience by reducing the number of required accounts/passwords and providing simpler access to all the apps and services needed. With Jedox, you only need to set up the Third Party Relying Trust. Authentication can be used in Jedox Web and in clients such as the Excel Add-in.

Activating SAML in Jedox

  1. Contact your Jedox sales representative to purchase the service.

  2. Choose the implementation that suits you best: SAML-Authorization or SAML-Authentication, to enable Jedox processing of SAML logins in the desired way.

  • SAML in Authentication mode

For the authentication mode, users, user groups, and group role assignments must be defined in the Jedox In-Memory DB. Thus, both group assignment and user creation must be done manually. When a Jedox user logs in, Jedox receives the username and SAML attributes of the already verified SAML user, and uses these credentials to decide whether the user can access the In-Memory DB, returning true or false. If true (default behavior), the user must already exist in the In-Memory DB system with the correct group mapping. If false, the user will be rejected by the In-Memory DB. This behavior is similar to that of SSO authentication mode.

  • SAML in Authorization mode

This mode is better suited for an application with a larger number of users, as it eliminates the need to manually define users in the Jedox In-Memory DB, leaving this task to the Jedox system instead. In this mode, only group-role assignments need to be defined, using the default mechanism of authorizing a user login by assigning a user group. Jedox receives the username and SAML attributes of the already verified SAML user, and uses these credentials to decide whether the user can access the In-Memory DB (returning true or false), and to which Jedox groups this user belongs. This behavior is similar to that of SSO authorization mode.

  1. For the creation of the metadata XML, below are the necessary details from Jedox:

    • Identifier (Entity ID): https://<cloud-id>.cloud.jedox.com/be/saml.php
    • Reply URL (Assertion Consumer Service URL): https://<cloud-id>.cloud.jedox.com/ui/login/
    • Sign-on URL: https://<cloud-id>.cloud.jedox.com/ui/login/
    • Sign-out URL: https://<cloud-id>.cloud.jedox.com/ui/logout/

    The <cloud-id> is a placeholder for your individual Jedox instance and must be replaced accordingly.

  2. Add Jedox as a service provider in your corresponding identity provider (IdP) with the details provided in the previous step.

  1. Once the application is created, our Support engineers will need the saml-idp-metadata to complete the implementation. The saml-idp-metadata points to the XML metadata path of the identity provider in the form of a URL or file.

An example that designates the identity provider as Azure:

saml-idp-metadata "https://login.microsoftonline.com/1506ab1d-5566-43z5-b5b567f22e31f41/federationmetadata/2018-12/federationmetadata.xml"

An example that designates the identity provider as Salesforce:

saml-idp-metadata "https://user-dev-ed.my.salesforce.com/.well-known/samlidp.xml"
  1. Approximately 30 minutes of service downtime is required for the implementation.

  2. Contact Jedox Support for the implementation. Specify in your email the mode you want to implement, the XML metadata (preferably as a URL), and a timeframe for the downtime.

Manual login option: NOSSO (No Single Sign-On)

When SAML SSO is configured for a Jedox instance, users who are outside of the organization may need to manually log in, bypassing SSO. To do so, simply add the flag ?nosso to the login URL for Jedox Web, e.g. https://<serveraddress>/ui/login/?nosso, to enable username / password authentication.

The NOSSO option is enabled by default on all Jedox instances. To prevent users from bypassing SSO, contact Jedox Support to disable NOSSO. Disabling NOSSO will disable username / password authentication as well. This feature is available for Jedox Web, Jedox Mobile App, and Excel COM Add-in.

Logout handling

Enabling SAML (single) logout means that during logout, you will be logged out of both Jedox and the identity provider. The next time you login to Jedox, you will have to authenticate in the identity provider again. Note that SAML logout may not be supported by the identity provider.

To enable single logout, contact Jedox Support.

Updated December 9, 2024