SAML Authentication in Jedox


Jedox offers native support for SAML 2.0. SAML (Security Assertion Markup Language) is an XML-based, open-standard data format for exchanging authentication and authorization data between parties, particularly between an identity provider (IdP), such as OKTA, and a service provider (SP). SAML simplifies the login process by enabling users to access many services with a single sign-on, which is accomplished through SAML elements packets passed between the service provider (Jedox software) and the identity provider (external entity or party), configured based on SP and IdP metadata.

In Jedox, SAML is mainly used for 3rd-party authentication, as used in cloud connections. Authentication may be server-side (In-Memory DB, Jedox Web) and client-side (Excel Add-in).

Important: as of Jedox 2019.2, the entityID consists of the web address + /be/saml.php, e.g. https://localhost/be/saml.php. For existing implementations with older forms of the entityID, metadata may have to be re-uploaded on the IdP side. Excel clients also cannot connect to older SAML configurations that have an entityId other than

Activating SAML in Jedox

1) Define CFG_AUTH_SSO as ‘saml’ in <Install_path>\Jedox Suite\httpd\app\etc\config.php (Windows) or <Install_path>/htdocs/app/etc/config.php (Linux).


2) Add the following lines to <Install_path>\olap\data\palo.ini (Windows) or <Install_path>/Data/palo.ini (Linux):

saml-idp-metadata (path to metadata XML for identity provider in url form, i.e., web link or file path)
saml-authorization or saml-authentication (to enable SVS processing of SAML logins in the desired way)
worker "<install_path>\svs\SupervisionServer.exe"
workerlogin information

An example that designates the identity provider as Azure: saml-idp-metadata ""
An example that designates the identity provider as Salesforce: saml-idp-metadata ""

3) Define the functions OnSAMLUserAuthenticate or OnSAMLUserAuthorize in a supervision script.

For example, the following script assigns the logged user through the SAML authorization event to the Admin group:

public function OnSAMLUserAuthorize(&$username, array $attributes, array& $groups) { // bool
sep_log("<< User SAML authorize, username $username >>");
$groups = array("admin");
return true;

4) Restart the Jedox Services.

5) Retrieve the metadata XML (which formally describes your Jedox environment as a service provider) from <your_web_instance>/be/saml.php file (e.g. http://localhost/be/saml.php).

6) Add Jedox as a service provider in your corresponding identity provider with the metadata XML (url or file) received in the previous step, or by manually using information from that file.

The steps above outline basic SAML configuration. Other configuration options are possible; see the table below for more palo.ini keys.

SAML configuration options
Key name Argument Description Default value
saml-authentication   Enables SAML authentication mode.  
saml-authorization   Enables SAML authorization mode  
saml-certificate <path to certificate> Certificate is published in metadata so identity provider can verify the signature or use it to encrypt its responses.  
saml-digest-algorithm   Hashing algorithm for signing.
saml-embed-signature   Embeds SAML request signature inside XML message instead of using it as GET parameter as defined by SAML Redirect standard.  
saml-encrypt-login   Enables encrypting of SAML login requests  
saml-encrypt-logout   Enables encrypting of SAML logout requests  
saml-idp-metadata <url>

Metadata XML for identity provider. Use URL form, such as

If metadata is distributed as a file or server has internet restrictions, use a file path, such as file://home/example/file.xml

empty string
saml-nameidpolicy <NameID policy> SAML NameID policy urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
saml-privatekey <path to private key> Private key is used to sign requests (if enabled by saml-sign-login) and decrypt responses from identity provider.  
saml-sign-login   Enables signing the SAML login requests  
saml-sign-logout   Enables signing the SAML logout requests  
saml-signature-algorithm <algorithm type> Algorithm used for SAML signatures

Enables SAML identity provider logout

Note: to enable single logout, you must also define CFG_AUTH_SLO as true in config.php. See section on logout handling below.


For more information on palo.ini options, see Configuring palo.ini for the In-Memory Database Server.

Authentication mode

In authentication mode, users, user groups, and group-role mappings must be defined in the Jedox In-Memory DB. Neither group assignment nor the creation of users will be done automatically. During Jedox user login, SVS receives the username and SAML attributes of the already-verified SAML user, and based on those credentials decides whether the user can access the In-Memory DB, returning true or false. If true (standard behavior), the user must already exist in the In-Memory DB system database with proper group assignment. If false, the user will be declined by the In-Memory DB. This behavior is similar to that of SSO authentication mode.

To activate, add saml-authentication to palo.ini.

Authorization mode

This option eliminates the need to define users and groups in the In-Memory DB, instead leaving that task to the SVS script. In this mode, only group-role mappings must be defined directly in the Jedox In-Memory DB. Users are created automatically and need not be created manually in Jedox. The SVS script receives the username and SAML attributes of the already-verified SAML user, and based on those credentials decides whether the user can access the In-Memory DB (returning true or false) and which Jedox groups this user belongs to (the script must fill the $groups variable). This behavior is similar to that of SSO authorization mode.

To activate, add saml-authorization to palo.ini.

Logout handling

Enabling SAML (single) logout means that during logout, you will be logged out of both Jedox and the identity provider. The next time you login to Jedox, you will have to authenticate in the identity provider again. Note: SAML logout may not be supported by the identity provider.

To enable single logout, set CFG_AUTH_SLO in config.php to true. You must also define saml-use-logout in palo.ini.