Implementing Single Sign-On (SSO) via SAML
Zoomdata supports single sign-on (SSO) using the Security Assertion Markup Language (SAML), a secure, XML-based communication standard for authenticating identities between organizations. SAML eliminates the need for a user to create and maintain multiple authentication credentials (that is, passwords) for different websites. Instead, by leveraging SAML, a user authenticates one time using a secure site (known as the 'Identity Provider' or 'IDP') that then authorizes access to different applications and services that is linked to the user’s account.
Key points to implementing SAML SSO in an organization’s operating environment:
- Service Providers must subscribe to an IDP service (or implement one internally) and complete a set up process. Since there are many IDPs options, service providers may subscribe to more than one service for the convenience of their users.
- Users need to complete a registration process to be added to your organization’s secured directory including the selection of authentication methods offered by your organization.
- New applications and programs (such as Zoomdata) must be integrated into your organization’s existing security protocols.
- Authentication approval from the IDP is limited to a single use and there is a time limit for access.
Preparing to Integrate Zoomdata into Your SAML-Enabled Network
If your organization already has SAML SSO integrated into the operating environment, Zoomdata can be added to your list of secured applications and programs. Zoomdata supports the SAML 2.0 security protocol. Zoomdata provides the following security functionality using SAML: (1) user authentication, (2) group mappings, and (3) account level synchronization of users and groups in Zoomdata. Your organization’s Security Administrator or IT Manager responsible for network security may need to be involved if the Zoomdata Administrator does not have account access to your IDP.
|Zoomdata can only support one IDP account. If your organization uses multiple IDP accounts, select one that will connect with Zoomdata.|
Prior to set up, Zoomdata recommends checking to ensure that Network Time Protocol service is used to synchronize your network with accurate time servers. NTP helps to avoid potential failure by the identity provider to authenticate SAML users.
For more information, see Using the Network Time Protocol.
Zoomdata’s SAML Settings provide mappings for the Group, Email, Account, Active account, and Full Name attributes that allow the Zoomdata Administrator to import these settings directly into Zoomdata’s Users and Groups administrative function.
Zoomdata also supports an SSL connection to SAML. In order to setup using secured SAML, a keystore needs to be generated and saved in the Zoomdata SAML configuration page. The SSL Certificate needs to be uploaded into the keystore file so that Zoomdata can validate the SSL connection. See Configuring Zoomdata to Support SAML for the setup instructions.
The organization’s IDP account needs to be imported into Zoomdata as a Service Provider. This entails importing the IDP’s metadata file when configuring SAML in Zoomdata. After completing all configuration steps, you need to generate Zoomdata’s metadata file so that it can be added to your IDP’s account. Again, if your organization has a dedicated security administrator, contact them to assist in this setup procedure.
|Zoomdata supplies two default users you can use to log into Zoomdata: admin and supervisor. You must log in as the supervisor to access the SAML configuration page. See Supplied User Definitions.|
Keep in mind the following SAML requirements that Zoomdata supports:
- IDP account should support SAML 2.0: Your organization’s IDP needs to support SAML 2.0 in order to successfully add Zoomdata.
- Default Account section: users can be auto-provisioned to a specific account.
Importing users and groups from the IDP into Zoomdata: there are two scenarios to consider for importing users and groups:
- If the user or group profile does not already exist in Zoomdata, they are created the first time that a user logs into Zoomdata. In this case, the profile contains no access privileges and the Zoomdata Administrator needs to set up these profiles.
- If the user or group profile already exist in Zoomdata, the names must be an exact match in order for the IDP profile information to populate the corresponding Zoomdata accounts. For example, if the username “johndoe” is stored in the IDP, the exact same username should be in Zoomdata.
After you have successfully configured and enabled SAML, users and groups imported in this manner can be managed from Zoomdata’s Users and Groups function. For guidance to import and setup these accounts, see Managing User Definitions .
See Configuring Zoomdata to Support SAML for instructions to setup SAML in Zoomdata.