Configure external authentication - Data360_Analyze - Latest

Data360 Analyze Server Help

Product type
Software
Portfolio
Verify
Product family
Data360
Product
Data360 Analyze
Version
Latest
Language
English
Product name
Data360 Analyze
Title
Data360 Analyze Server Help
Copyright
2024
First publish date
2016
Last updated
2024-11-28
Published on
2024-11-28T15:26:57.181000
Table 1. Changes in this topic
Change type Description
Updated in version 3.16.0 User group synchronization via SAML SSO.
Note: You must be an Administrator to have access to configure SSO and LDAP/AD settings.
  1. From the Directory, select Settings.
  2. Select Authentication.
  3. From the Details panel, select an Authentication Type. Choose from:

Local Only

Local Only is the default authentication type where users are created locally in Data360 Analyze.

You can select this option at any time to disable external authentication.

See Managing users and groups.

LDAP

Enter the authentication details for your LDAP server, as per the following examples:

Property Description
Server URL

Specify the name of the server which hosts your LDAP source system, including the port number and root DN, in the following format:

<protocol><server>:<port number>/<rootDN>

ldap://server.example.com:389/ou=someOrgUnit,dc=example,dc=com

The root Distinguished Name (root DN) defines the entry point in the LDAP structure from which an authentication search will take place.

Tip: We recommend that you set the root DN to the lowest possible point in the LDAP structure.

Using a secure connection to import LDAP/AD users and groups

If you want to enable LDAP/AD over SSL, use the "ldaps" protocol in your URL and ensure that the port number corresponds to the LDAPS port number on the LDAP/AD server.

ldaps://server.example.com:389/ou=someOrgUnit,dc=example,dc=com

You must then install security certificates on both your source LDAP/AD server and the Data360 Analyze server. See Adding SSL certificates > Installing the certificate for more details.

Authenticate using application-level user

When a user logs in to Data360 Analyze, the authentication sequence between Data360 Analyze and the LDAP system is as follows:
  • Firstly, the LDAP system is searched to find the user and retrieve the user DN.
  • Then, the system tries to authenticate the user by binding with the user DN and the entered password.

If your source LDAP system requires, select Authenticate using application-level user for increased security. When this option is selected, the application user details are used to login to the LDAP system, and then the initial search is done under the secure session of the application-level user.

If you do not select Authenticate using application-level user, the initial user search will be performed anonymously.

Note: If you select Authenticate using application-level user, you must enter the Application User DN and the corresponding Application User Password.
Application User DN The Application User DN is the DN of the LDAP binding user that will be used to connect to the source system during authentication.

CN=User,DC=example,DC=com

Application User Password Enter the password that corresponds to the binding user DN.
Pool Connection

If you selected Authenticate using application-level user, you will also have the option to select Pool Connection.

Select Pool Connection to reduce the overhead of application-level user binding. When Pool Connection is selected, the application-level user binding will be made once and re-used for subsequent user searches. This means that a new connection does not need to be established every time a user signs in. When Pool Connection is not selected, a new application-level user binding will be made for every user authentication.

Username Attribute

Specify any username attribute that users can be authenticated against during sign in.

uid

User Search Base

Optionally, specify a User Search Base to further drill into specific organization units (OU) within the source directory from the specified rootDN, to limit the number of users who are allowed to sign in.

OU=users

In this example, all users are stored in a "users" OU directly below the rootDN.

If the users are spread across multiple OUs below the rootDN, then the User Search Base property can be left blank. If no value is set, the user search base will be the rootDN.

User Search Filter

Optionally, specify a User Search Filter to limit the number of users who are allowed to sign in to Data360 Analyze. You can apply a filter by using standard LDAP query syntax to identify specific users in the source system, in the following format:

objectClass=<something>

See Applying a filter.

Advanced settings

If your source system is LDAP, you also have the option to configure the following advanced settings:

Property Description
Referral

Select an option to configure the LDAP URL referral.

Choose from:

  • ignore - prevents any referrals from being followed.
  • follow - enables referrals to be automatically followed.
  • throw - causes the authentication to fail when a referral is given.
Deref Link Select Deref Link to enable link dereferencing during the search.
Search Sub-Tree Select Search Sub-Tree to search for users in the entire sub-tree relative to the user search base.
Search Time Limit Specify the time to wait in milliseconds before the search fails. A value of zero means that there is no limit.

You can use the Key/Value table to specify settings specific to your LDAP server.

When you have finished entering your authentication settings, click Apply Changes and Deploy Authentication Configuration.

Active Directory

Enter the authentication details for your Active Directory system, as per the following examples:

Property Description
Server URL

Specify the name of the server which hosts your Active Directory source system, including the port number and root DN, in the following format:

<protocol><server>:<port number>/<rootDN>

ldap://server.example.com:389/ou=someOrgUnit,dc=example,dc=com

The root Distinguished Name (root DN) defines the entry point in the Active Directory structure from which an authentication search will take place.

Tip: We recommend that you set the root DN to the lowest possible point in the Active Directory structure.

Using a secure connection to import LDAP/AD users and groups

If you want to enable LDAP/AD over SSL, use the "ldaps" protocol in your URL and ensure that the port number corresponds to the LDAPS port number on the LDAP/AD server.

ldaps://server.example.com:389/ou=someOrgUnit,dc=example,dc=com

You must then install security certificates on both your source LDAP/AD server and the Data360 Analyze server. Please refer to your vendor's documentation for how to install security certificates.

Username Attribute

Select the attribute against which users will be authenticated during sign in.

Note: The option that you select here should match the value that you enter in the Username Attribute property when configuring an AD user import.

Choose from:

  • distinguishedName - Users will need to enter a DN to sign in, for example, CN=User,DC=example,DC=com
  • userPrincipalName - Users can sign in with their username.
  • sAMAccountName - Users will need to sign in with their fully qualified netBiosDomain\sAMAccountName, in the following format:

    <NetBios Domain>\<sAMAccountName>

  • Other
Default NetBios Domain

If you selected sAMAccountName, you have the option to specify a single Default NetBios Domain so that users only need to enter their sAMAccountName when signing in. If the user does not specify a NetBios domain at sign in, the Default NetBios Domain is used in conjunction with the sAMAccountName entered by the user to authenticate the login request.

Domain

Optionally, specify the domain of your AD source system.

example.com

This domain is used when authenticating against the User Principal Name and to authenticate users who have been imported with their sAMAccountName as their username. In this case, the <sAMAccountName>@<domain>, e.g. user@example.com must match the User Principal Name within the Active Directory system.

User Search Filter

Optionally, specify a User Search Filter to limit the number of users who are allowed to log in to Data360 Analyze. You can apply a filter by using standard LDAP query syntax to identify specific users in the source system, in the following format:

objectClass=<something>

See Applying a filter.

Advanced settings

If your source system is AD, you also have the option to configure the following advanced setting:

Property Description
Referral

Select an option to configure the LDAP URL referral.

Choose from:

  • ignore - prevents any referrals from being followed.
  • follow - enables referrals to be automatically followed.
  • throw - causes the authentication to fail when a referral is given.

When you have finished entering your authentication settings, click Apply Changes and Deploy Authentication Configuration.

SAML2 SSO

If enabled, Single Sign-On (SSO) is the primary method of user authentication. In this case, authentication occurs externally via the SAML2 Single Sign-On web agent.

The following steps describe how to establish a connection between Data360 Analyze and your external SAML system:

  1. Generate the SP Metadata as follows:
    1. Configure the Browser Accessible Webapp Context URL property:
      Property Description

      Browser Accessible Webapp Context URL

      Enter a valid URL. This is the URL from which users will access the web application via a web browser. This should account for any proxying or gateways. For example, the web application may be hosted at the URL http://d3sa.internal.example.com:8081 but only accessible to end users via http://d3sa.gateway.example.com:1234. In this case, http://d3sa.gateway.example.com:1234 should be specified.

      By default, this property is automatically completed based on the location in the web browser.

    2. If this is the only property that you want to configure before generating the SP Metadata, click the Apply and Generate button to generate the SPMetadata. The SP Metadata property contains the SAML SP metadata for the Data360 Analyze instance.

      Alternatively, there are a number of optional properties that you can also modify before clicking Apply and Generate. If you do not configure these additional properties (described in the following table), the default values will be used:

      Property Description

      SP Entity Id

      Optionally, enter a valid Entity ID URI following the SAML 2.0 specification. This is the Entity ID of the Service Provider (SP) which is used by SAML to identify the SP when participating in authentication with the Identity Provider (IDP).

      There is no default. If this property is not set, an ID will be generated when the SP metadata is generated.

      SP Supported Response Bindings

      Enter the set of SAML response bindings to support. You can enter one or more of the following values in a comma-separated list:

      HTTP_POST, HTTP_REDIRECT and HTTP_SIMPLE_SIGN_POST

      The first in the list will be indicated as the default in the metadata. Responses will be validated against this list, and will be rejected if not in the list.

      The default value is HTTP_POST.

      Signed Assertions Required

      Indicates whether or not cryptographically signed assertions are required in the authentication responses from the IDP. This requirement will be indicated in the generated SP metadata, and enforced when receiving responses.

      The default value is true (selected).

      SP Sign Requests

      Indicates whether or not to cryptographically sign requests sent to the IDP.

      The default value is true (selected).

      SP Signing Credential Reference

      Optionally, specify the name of the public/private key credential to use for cryptographically signing SAML requests.

      Note that the certificate for the public/private key pair generated by the Apply and Generate button will be a self-signed certificate. This is normally sufficient for SAML because trust is established by the manual process of uploading the SP metadata to the IDP. However, if a CA signed certificate is required, then the credential can be generated externally and then installed manually into the Data360 Analyze security store using the java keytool command line utility. In this case, in this property specify the name of the alias used when installing the credential into the key store.

      If this property is not set, a default credential will be generated during installation using the defaults of the other Signing Credential properties.

      SP Encryption Credential Reference

      Optionally, specify the name of the public/private key credential to use for encrypting SAML assertions.

      Note that the certificate for the public/private key pair generated by the Apply and Generate button will be a self-signed certificate. This is normally sufficient for SAML because trust is established by the manual process of uploading the SP metadata to the IDP. However, if a CA signed certificate is required, then the credential can be generated externally and then installed manually into the Data360 Analyze security store using the java keytool command line utility. In this case, in this property specify the name of the alias used when installing the credential into the key store.

      If this property is not set, a default credential will be generated during installation using the defaults of the other Signing Credential properties.

      Signing Credential Algorithm

      Enter a valid KeyFactory Algorithm as described at: https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#KeyFactory

      This is the algorithm to use when generating signing key credentials.

      The default value is RSA.

      Signing Credential Key Strength

      Enter an integer to represent the number of bits in the generated cryptographic key.

      The default value is 2048.

      Signing Credential Certificate Validity

      Specify the validity period for the generated self-signed certificate from the time of generation in milliseconds.

      The default value is 86400000000 ms (1000 days).

      Signing Credential Certificate Principal

      Specify the principal name to use when self-signing the certificate in the X.500 Principal format.

      The default value is cn=Analyze, ou=Data360, o=Precisely, c=US.

      Signing Credential Certificate Signing Algorithm

      Enter a valid Signature algorithm name as described at: https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#Signature

      This is the algorithm to use when signing the self-signed certificate. The generated key will be used to sign its own certificate, so the algorithm selected must be compatible with the type of key generated.

      The default value is SHA256WithRSA.

      Encryption Credential Algorithm

      Enter a valid KeyFactory Algorithm as described at: https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#KeyFactory

      This is the algorithm to use when generating encryption key credentials.

      The default value is RSA.

      Encryption Credential Key Strength

      Enter an integer to represent the number of bits in the generated cryptographic key.

      The default value is 2048.

      Encryption Credential Certificate Validity

      Specify the validity period for the generated self-signed certificate from the time of generation in milliseconds.

      The default value is 86400000000 ms (1000 days).

      Encryption Credential Certificate Principal

      Specify the principal name to use when encrypting the certificate in the X.500 Principal format.

      The default value is cn=Analyze, ou=Data360, o=Precisely, c=US.

      Encryption Credential Certificate Signing Algorithm

      Enter a valid Signature algorithm name as described at: https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#Signature

      This is the algorithm to use when encrypting the self-signed certificate. The generated key will be used to encrypt its own certificate, so the algorithm selected must be compatible with the type of key generated.

      The default value is SHA256WithRSA.

    3. After configuring all required properties, click Apply and Generate to generate the SPMetadata. The SP Metadata property contains the SAML SP metadata for the Data360 Analyze instance.
  2. Copy the generated SP Metadata and provide your IDP administrator with this information.
  3. Request the IDP metadata for the IDP from your administrator, and copy this information into the IDP Metadata property.

    The IDP Metadata property should contain the IDP metadata for the IDP to use in authentication.

    Note: The IDP metadata may be cryptographically signed, so care should be taken when copying and pasting to avoid reformatting, as this may cause the signature to become invalid.
  4. Optionally, enter a valid SAML IDP Entity URI in the IDP Entity Id property. This is only required if the provided IDP metadata is a consolidation of multiple entities with an <EntitiesDescriptor> root element. In this case, the entity ID should be the ID of the IDP entity to use from the document.
  5. Configure the User Lookup Query, Group Lookup Query and Attribute Mapping properties:
    Property Description
    Attribute Mapping

    Using JSON, specify how to map from the name ID, attributes, or general XML elements of the authentication response to local Data360 Analyze attributes that can be referenced in the User Lookup Query.

    The following example shows how to format the JSON:

    
    {  "mappings" : [
    	{ 
    		"name" : "mappedAttributeIdentifier",
    		"referenceType" :   "NAME_ID" | "ATTRIBUTE_VALUE" | "XPATH"
    		"reference" : "attributeValueName"
    		"index" : <Integer>
    	},
    	.... 
    }
    • name - Identifies the attribute when substituting its value into the User Lookup Query, see User Lookup Query (below).
    • referenceType - Can be one of the following:
      • NAME_ID - Specifies that the value is taken from the NameID of the subject.
      • ATTRIBUTE_VALUE - Specifies that the value is taken from the assertion attribute specified in "reference".
      • XPATH - Specifies that the value is taken from some part of the Response XML object using the XPath expression specified in "reference".
    • reference:
      • Is not required when referenceType is NAME_ID.
      • Specifies the assertion attribute when referenceType is ATTRIBUTE_VALUE.
      • Specifies the XPath Expression when referenceType is XPATH.
    • index - Specifies which value to use if an attribute has an array of values, where 0 is the first value.

    Multiple attribute mapping definitions can be specified if required.

    Note: The attribute name "username" is special in that without further specification in the User Lookup Query property, it will be used as the user ID.
    Note: The attribute name "groupname" is special in that without further specification in the Group Lookup Query it will be used as the group name.
    The default value is:
    {"mappings":[ 
       { 
          "referenceType":"NAME_ID","index":null,"reference":null,"required":true,"name":"username"
       }, 
       { 
           "referenceType":"ATTRIBUTE_VALUE","index":null,"reference":"groups","required":false,"name":"groupname" 
       } 
    ]}  

    This tells the application to use the value of NAME_ID from the SAML Authentication Response as the username in Data360 Analyze and to use Attribute Values with the name "groups" to assign the user's groups in Data360 Analyze. Change "groups" to correspond to the name of the SAML SSO Attribute Value that specifies the groups.

    User Lookup Query

    Optionally, specify a FIQL query to be executed to provide an alternate lookup mechanism for users, for example if you want to use another form of ID to lookup a user.

    By default, the lookup will use the mapped username attribute to search for users with the associated name. If provided, the name of the user that is the result of this query will be used as the authenticated principal.

    The following fields in the Analyze user profile can be used in the query:

    Email Address - specified as 'emailAddress' in the query. For example emailAddress==${username} matches the SAML-SSO uid with the Analyze user profile Email Address

    Attributes - specified as 'attributes' in the query. For Example, Attributes mapped from the Attribute Mapping property can be substituted into the query using the ${attributeName} syntax.

    Group Lookup Query Optionally, specify a FIQL query to be executed to provide an alternate lookup mechanism for groups.
    Example - User Lookup Query

    In this example, the IDP has the following custom attribute for a user which is used to match the IDP user profile to a user profile in Data360 Analyze:

    idp_attribute_name with a value of idp_attribute_value

    1. Configure the Attribute Mapping property as follows:
      {"mappings" : [{
      		"name" : "mapped_attribute_id",
      		"index" : 0,
      		"reference" : "idp_attribute_name",
      		"referenceType" : "ATTRIBUTE_VALUE"}
      ]}

      This tells Data360 Analyze to assign the value of the idp_attribute_name attribute received from the IDP in the authentication response to a variable called mapped_attribute_id

    2. Configure the User Lookup Query property as follows:

      attributes=="custom_user_profile_attribute=${mapped_attribute_id}"

      This tells Data360 Analyze to identify the user profile by searching the Attributes field in the user profile for the value in mapped_attribute_id

      The ${ } notation in the query tells Data360 Analyze to substitute the value identified by mapped_attribute_id in the mapping into the query.

    3. In the Directory, select Users and select the user that you want to match to the IDPuser profile.
    4. Click Edit to open the Edit User dialog.
    5. In the Attributes field, enter custom_user_profile_attribute=idp_attribute_value

      This corresponds to the information entered in the User Lookup Query property.

      Tip: It is possible to enter multiple values in the Attributes property, in a comma-separated list. For example:

      custom_user_profile_attribute_1=idp_attribute_value_1, custom_user_profile_attribute_2=idp_attribute_value_2

      This would be matched by a User Lookup Query property configured as:

      attributes=="custom_user_profile_attribute_1=${idp_attribute_name_1}",attributes=="custom_user_profile_attribute_2=${idp_attribute_name_2}"

    After configuring the above settings, when the user signs in, their Data360 Analyze user profile will be matched to their IDPuser profile.

    Example - Group Lookup Query

    In this example, the IDP has the following custom attribute for groups which is used to match the IDP group profile to a group profile in Data360 Analyze:

    idp_attribute_group_name with possible values of idp_attribute_group1_value, idp_attribute_group2_value

    1. Configure the Attribute Mapping property as follows:
      {"mappings" : [{
      		"name" : "mapped_attribute_group_id",
      		"index" : null,
      		"reference" : "idp_attribute_group_name",
      		"referenceType" : "ATTRIBUTE_VALUE"}
      ]}

      This tells Data360 Analyze to assign the value of the idp_attribute_group_name attribute received from the IDP in the authentication response to a variable called mapped_attribute_group_id

    2. Configure the Group Lookup Query property as follows:

      attributes=in=${mapped_attribute_group_id}"

      This tells Data360 Analyze to identify the group profiles by searching the Attributes field in the group profile for the value in mapped_attribute_group_id

      The ${ } notation in the query tells Data360 Analyze to substitute the value identified by mapped_attribute_group_id in the mapping into the query. This will be a list of groups.

    3. In the Directory, create the groups that you want to match to the IDP group profile.
    4. Create the first group, name it "Analyze Group 1". In the Attributes field, enter idp_attribute_group1_value. Select SSO Managed.
    5. Create the second group, name it "Analyze Group 2". In the Attributes field, enter idp_attribute_group2_value. Select SSO Managed.
    After configuring the above settings, when the user signs in, they will be added to the groups that are mapped from those in their authentication response. For example if the authentication response has the following attributes: idp_attribute_group_name=idp_attribute_group1_value then the user will be added to "Analyze Group 1" as that is what idp_attribute_group1 maps to in Data360 Analyze.
  6. Configure the remaining properties, if required:
    Property Description

    SP Request Bindings

    Specify the bindings to use in order of preference when making a SAML authentication request. This will be reconciled against the list of available bindings provided by the IDP metadata by selecting the first binding method in this list which is supported by the IDP. If no binding in this list is in the supported set of bindings from the IDP, then an error will occur. You can enter one or more of: HTTP_POST, HTTP_REDIRECT and HTTP_SIMPLE_SIGN_POST.

    The default value is HTTP_REDIRECT, HTTP_POST.

    Request Assertion Consumer Service Mode

    Enter how to specify the assertion consumer service to use for the exchange in the request. Enter one of the following:

    • URL - A URL to the endpoint.
    • INDEX - An index referencing the Assertion Consumer Service in the SP Metadata.
    • NONE - The IDP will be free to choose which Assertion Consumer Service to use.

    The default value is INDEX.

    SP Request Name Id Policy Allow Create

    Indicates whether or not to include in the SAML request that the IDP is allowed to generate a transient name ID. Sets the <NameIdPolicy allowCreate=> value in the <AuthnRequest>.

    The default value is false (not selected).

    Request Name Id Policy Format

    Optionally specify a value to use in the <NameIdPolicy format=> in the <AuthnRequest>

    You can specify one of the following values, or you can leave this property blank:

    EMAIL, ENCRYPTED, ENTITY, KERBEROS, PERSISTENT, TRANSIENT, UNSPECIFIED, WIN_DOMAIN_QUALIFIED or X509_SUBJECT

    Request Name Id Policy SPName Qualifier

    Optionally, enter a string to specify the value to use in the <NameIdPolicy spNameQualifier=> in the <AuthnRequest>

    SP Response Validation Clock Skew

    Optionally, enter a value in milliseconds. If a value is specified, when performing response validation, a clock skew of up to the specified amount is assumed.

    SP Disabled Response Validations

    Optionally enter a value to disable the specified validations on the authentication responses. You can enter one or more of the following:

    ASSERTION_SIGNATURE, AUDIENCE_RESTRICTION, RESPONSE_SIGNATURE and SUBJECT_CONFIRMATION.

    Note: Disabling any of the validations can compromise the security of the system. This setting is mainly intended for helping in initial configuration and identifying problems by disabling certain types of validation.
    Log Level

    Optionally set the Log Level property to set the threshold for logging information to help with troubleshooting. Enter one of the following values:

    • ERROR
    • WARN
    • INFO
    • DEBUG
    • TRACE

    The default value is INFO and should be used when in production to avoid generating massive log files.

    DEBUG provides more information. TRACE provides a massive amount of information.

  7. When you have finished entering your authentication settings, click Apply Changes and Deploy Authentication Configuration.

Renew the Signing and Encryption Credential certificates

When configuring SAML2 SSO in Data360 Analyze, the default settings generate two self-signed certificates for the Signing Credential and Encryption Credential. These certificates are stored in the <siteDir>/keystores/securityStore.jks keystore and expire after 1000 days. To renew these certificates, follow the steps outlined below:
  1. Log in the Directory as an administrator and select Settings > Authentication.
  2. Select SAML2 SSO as the Authentication Type.
  3. In the SAML2 SSO section, expand Advanced Settings and locate Apply and Generate button for the Signing Credential and Encryption Credential certificates.
  4. Click each button once to generate two new certificates.
  5. Scroll to the top and click Apply and Generate button to generate the SPMetadata. This will create new SP Metadata using the newly generated certificates.
  6. Copy the new SP Metadata and provide it to your Identity Provider (IDP) administrator for updating on their side.
  7. Your IDP administrator may then share a new IDP Metadata blob which should be entered into the IDP Metadata configuration box.
  8. Click the Deploy Authentication Configuration button at the top of the settings panel to implement all the new settings.

Default user credentials

Note: After installation, you are assigned the following default user credentials:Username - adminPassword - welcomeIf a user logs in as 'admin' via SSO, then this user will become the default 'admin' user in Data360 Analyze.

To complete your LDAP/AD integration, you also need to import LDAP/AD users and groups, see:

Configuring user creation