SAML Authentication in Jedox

As of version 2018.4, Jedox offers native support for SAML 2.0. SAML (Security Assertion Markup Language) is an XML-based, open-standard data format for exchanging authentication and authorization data between parties, particularly between an identity provider (IdP) and a service provider (SP). SAML simplifies the login process by enabling users to access many services with a single sign-on, which is accomplished through  SAML elements packets passed between the service provider (Jedox software) and the identity provider (external entity or party), configured based on SP and IdP metadata.

In Jedox, SAML is mainly used for 3rd-party authentication, as for Cloud connections. Authentication may be server-side (In-Memory DB, Jedox Web) and client-side (Excel Add-in).

Activating SAML in Jedox

1) Define CFG_AUTH_SSO as ‘saml’ in <Install_path>\Jedox Suite\httpd\app\etc\config.php (Windows) or <Install_path>/htdocs/app/etc/config.php (Linux).

define('CFG_AUTH_SSO','saml');

2) Add the following lines to <Install_path>\olap\data\palo.ini (Windows) or <Install_path>/Data/palo.ini (Linux):

saml-idp-metadata (path to metadata XML for identity provider in url form, i.e., web link or file path)
saml-authorization or saml-authentication (to enable SVS processing of SAML logins in the desired way)
worker "<install_path>\svs\SupervisionServer.exe"
workerlogin information

An example that designates the identity provider as Azure: saml-idp-metadata "https://login.microsoftonline.com/1506ab1d-5566-43z5-b5b567f22e31f41/federationmetadata/2018-12/federationmetadata.xml"
An example that designates the identity provider as Salesforce: saml-idp-metadata "https://patwilly-dev-ed.my.salesforce.com/.well-known/samlidp.xml"

3) Define the functions OnSAMLUserAuthenticate or OnSAMLUserAuthorize in a supervision script.

For example, the following script assigns the logged user through the SAML authorization event to the Admin group:

public function OnSAMLUserAuthorize(&$username, array $attributes, array& $groups) { // bool
sep_log("<< User SAML authorize, username $username >>");
$groups = array("admin");
return true;
}

4) Restart the Jedox Services.

5) Retrieve the metadata XML (which formally describes your Jedox environment as a service provider) from <your_web_instance>/be/saml.php file (e.g. http://localhost/be/saml.php).

6) Add Jedox as a service provider in your corresponding identity provider with the metadata XML (url or file) received in the previous step, or by manually using information from that file.

The steps above outline basic SAML configuration. Other configuration options are possible; see the table below for more palo.ini keys.

SAML configuration options
Key name Argument Description Default value
saml-authentication   Enables SAML authentication mode.  
saml-authorization   Enables SAML authorization mode  
saml-certificate <path to certificate> Certificate is published in metadata so identity provider can verify the signature or use it to encrypt its responses.  
saml-digest-algorithm   Hashing algorithm for signing.  http://www.w3.org/2001/04/xmlenc#sha256
saml-embed-signature   Embeds SAML request signature inside XML message instead of using it as GET parameter as defined by SAML Redirect standard.  
saml-encrypt-login   Enables encrypting of SAML login requests  
saml-encrypt-logout   Enables encrypting of SAML logout requests  
saml-idp-metadata <url>

Metadata XML for identity provider. Use URL form, such as https://metadata.example.com

If metadata is distributed as a file or server has internet restrictions, use a file path, such as file://home/example/file.xml

empty string
saml-nameidpolicy <NameID policy> SAML NameID policy urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
saml-privatekey <path to private key> Private key is used to sign requests (if enabled by saml-sign-login) and decrypt responses from identity provider.  
saml-sign-login   Enables signing the SAML login requests  
saml-sign-logout   Enables signing the SAML logout requests  
saml-signature-algorithm <algorithm type> Algorithm used for SAML signatures http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
saml-use-logout  

Enables SAML identity provider logout

Note: to enable single logout, you must also define CFG_AUTH_SLO as true in config.php. See section on logout handling below.

 

For more information on palo.ini options, see Configuring palo.ini for the In-Memory Database Server.

Authentication mode

In authentication mode, users, user groups, and group-role mappings have to be defined on the Jedox In-Memory DB server. Neither group assignment nor the creation of users will be done automatically. During Jedox login of the user, SVS receives the username and SAML attributes of this already-verified SAML user, and based on those credentials decides whether the user can access the In-Memory DB server, returning true or false. If true (standard behavior), this user element must already exist in the In-Memory DB server system database with proper group assignment. If false, the user will be declined by the In-Memory DB server.

To activate, add saml-authentication to the palo.ini.

Authorization mode

This option eliminates the need to define the user, groups, and group-role mappings on the In-Memory DB server, instead leaving that task to the SVS script. In this mode, only group-role mappings must be defined directly on the Jedox In-Memory DB server. Users are created automatically and need not be created manually in Jedox. The SVS script receives the username and SAML attributes of the already-verified SAML user, and based on those credentials decides whether the user can access the In-Memory DB server (returning true or false) and which Jedox groups this user belongs to (the script must fill the $groups variable).

To activate, add saml-authorization to the palo.ini.

Logout handling

Enabling SAML Logout means that during logout, you will be logged out of both Jedox and the identity provider. The next time you login to Jedox, you will have to authenticate in the identity provider again. Note: SAML logout may not be supported by the identity provider.

To enable single logout, set CFG_AUTH_SLO in config.php to true. Note: you must also define saml-use-logout in palo.ini.