Configuring Zoomdata to Support SAML
This topic walks you through the following steps to configure SAML settings in Zoomdata:
- Obtain the XML metadata file from your organization's SAML Identity Provider (IDP).
- Create a Key File using the Key Tool Generator program.
- Log into Zoomdata as the supervisor and configure the SAML settings in the Security tab.
- Configure the service provider details in your IDP account that you want accessible by Zoomdata.
- Upload Identity Provider Metadata and add key files to Zoomdata.
- Configure the SAML mappings in Zoomdata.
In addition, there are optional configurations you can set up:
- Customizing the Zoomdata Entity ID
- Configuring the Auto-Redirect to the IDP
- Using the Network Time Protocol to Synchronize Time (avoids potential failure by the identity provider to authenticate SAML users)
- Implementing Single Sign-On (SSO) via SAML
Obtain Identity Provider Metadata File
To enable Zoomdata to support your organization's identity provider, first obtain the metadata content from your IDP and upload into Zoomdata. Your Security Administrator responsible for managing IDPs can provide this file. Save this metadata file to your local hard drive for uploading into Zoomdata. Refer to the configuration instructions provided below.
ACTION: Obtain the XML metadata file from your organization’s IDP (see Figure 1 for an example XML metadata file).
Generate a Key File and Configuring SAML with SSL
The key file helps you manage a keystore of cryptographic keys and trusted certificates. Generate the key file using the keytool program available from Oracle. After generating a key file, you are able to import your SSL certificate into the keystore. Private keys that are used to digitally sign SAML messages along with any SSL/TLS certificates need to be imported into this keystore.
After installing the keytool program, take the following steps:
Run the following command to generate your key:
keytool -genkey -alias <localhost> -keyalg RSA -keystore <mykeystore> .jks -keysize 2048 -validity 7000
<localhost>with a unique alias (or name) for your key. This name is used (in the Key box) when you set up SAML in Zoomdata.
<mykeystore>with a unique name for your keystore file. This is the file that is uploaded into Zoomdata.
- The validity flag sets the expiration for the certificate for this key. This value can be changed accordingly based on how long your key is valid before expiring.
At the prompt, create the keystore password (
<yourKeyStorePassword>) and press Enter.
For the next prompt, create a key password (
<yourKeyPassword)>) and press Enter.
Enter the following command to import your SSL certificate (valid x.509) into the keystore:
keytool -import -trustcacerts -alias <yourAliasName> -file <yourcertr.cer> -keystore <mykeystore>.jks
<yourAliasName>with a unique name for your certificate.
<yourcertr.cer>with the name of your SSL certificate.
<mykeystore>with the keystore filename that you created in Step 1 above.
The key file is saved to your local hard drive. You will upload the key file into Zoomdata in the configuration instructions provided below.
Step-By-Step Configuration Instructions
Access Zoomdata and take the following steps to configure SAML Settings:
Log in as the supervisor.
Click Supervisor and then select Security. On the Security Services tab, make sure that the SAML SSO service is running. Otherwise, enable it, save your changes, and restart Zoomdata for the changes to take effect. For more information, see Enabling or Disabling a Security Service.
Select the SAML Settings tab.
In the General Settings section enable SAML.
Click Upload Identity Provider Metadata to upload the identity provider's (IDP) metadata file into Zoomdata.
Specify the base URL to your Zoomdata Server that users will be logging into via SSO. It must be in the following format:
If the base URL is changed after saving these SAML settings, update this value and then reboot Zoomdata before downloading the metadata file.
Click Add Key File to upload the key file (that you generated from the Keytool program).
Enter the following information in the screen boxes:
- Key (alias): the unique alias you created for the Key (for example, we used
- Key Pass (word): your
- Key Store Pass (word): your
- Key (alias): the unique alias you created for the Key (for example, we used
Return to your IDP account and configure the service provider information to allow Zoomdata access to the following attributes:
Required attribute in Zoomdata: Username
Optional Attributes: Groups, Account, Active account, Email, Full Name
After you have configured the SAML attributes in your IDP account, you can update the Zoomdata SAML mappings.
In the Default Account list, select the default account to which new users should be added if no account mapping attribute is specified.
In the Account Mapping box, specify the SAML attribute that contains the comma separated list of Zoomdata accounts associated with the user to be imported into Zoomdata.
In the Active Account Mapping box, specify the SAML attribute that contains the name of the default Zoomdata account for the user.
In the Login Name Mapping box, specify the name of the attribute that contains user logins (as established in your IDP account). This value is required so that users can be imported into and given access to Zoomdata. The imported values will be used as login names for Zoomdata users.
In the Full Name Mapping box, specify the name of the SAML attribute containing users' full names.
In the Email Mapping box, specify the name of the SAML attribute containing users' emails.
In the Group Mapping box, specify the name of the SAML attribute containing the multivalue list of group names identifying user memberships.
If you want Zoomdata to automatically create groups for users if they don't exist in your environment yet, toggle on Auto Create Groups.
By default, groups created in Zoomdata via SAML does not have any permissions or access to data sources. The Zoomdata Administrator must manually assign privileges to the group. If using ADFS, make sure to add this attribute specified in the Username Mapping box as a claim rule name in ADFS. Otherwise, this attribute is not sent by the identity provider and causes the SAML login to fail. For more information, refer to Issue #4 in our commonly reported SAML issues.
The Group, Email, Account, Active Account, and Full Name Mapping values are optional. Use these values if you are looking to automate the setup of user and group attributes in Zoomdata. For information about the mapping options, see Implementing Single Sign-On (SSO) via SAML.
After you have set up all the necessary information on the Zoomdata SAML Settings page and saved the configuration, the last step is to have Zoomdata generate the metadata file that is imported into your organization's IDP.
Download the metadata file by clicking the corresponding button. The metadata file is an XML file that you upload to your IDP. Successfully enabling SSO in Zoomdata results in a change to the login screen.
If you've already configured the SAML configuration and have made changes to the keystore, restart the Zoomdata server for these changes to take effect.
You still have the option to log into Zoomdata without using single sign-on. Selecting the Show Zoomdata Authentication option lets you log in using your Zoomdata credentials. The first time that users log into Zoomdata via SAML, Zoomdata automatically creates the user profile in the Users and Groups administrative page. In addition, if the user is a member of one or more groups, the Group(s) are also created (as long as the Group Mapping was provided during setup).
Mapping to Custom User Attribute
You can store additional attribute mappings that may be available in your IDP's SAML Assertions file (for example, Address, City, State and Zip Code). To add a custom user attribute, click the corresponding button. Specify the custom user attribute and SAML attribute in the corresponding boxes.
- SAML Attribute- the name of the user attribute in the SAML provider
- Custom User Attribute - the name of the attribute Zoomdata displays
- Usage - how the name appears to the user
- Secure - if you want to encrypt specific custom attribute mappings, select this checkbox
If you want to encrypt specific custom attribute mappings, select the Secure checkbox for the required attributes pairs.
Configuring SAML Behind a Load Balancer
You need to configure the settings to work with Zoomdata using SAML if there is unencrypted communication between the proxy and back-end servers and the load balancer is configured to use SSL.
The default configuration parameters are as follows:
saml.lb.enabled=false saml.lb.scheme=https saml.lb.serverName=<www.myserver.com>
For example, for the following front-end URL
https://<myserver.com>/zoomdata, configure the settings in the
zoomdata.properties file as described below:
If your identity provider already contains a service provider using the entity ID 'zoomdata', you can create a unique entity ID for Zoomdata. Also, this is applicable if you have two or more separate Zoomdata instances and your IDP requires unique instance identifiers. To do this, you create an alias in the
zoomdata.properties file using:
Make sure that the base URL you specified while configuring SAML settings is the same as was used for generating the metadata file with the corresponding entityId.
For help on accessing and editing the
zoomdata.properties file, see Configuring Your Zoomdata Installation.
SAML can be configured to automatically redirect to the identity provider without prompting you with the Zoomdata login. To configure this, edit the
zoomdata.properties file and add the following parameter:
You can still log into Zoomdata using credentials by navigating your browser to
For guidance on accessing and editing the zoomdata.properties file, see Configuring Your Zoomdata Installation.
For basic SAML troubleshooting, see Basic SAML Troubleshooting. If additional assistance is needed, reach out to our Technical Support team.