Configuring Zoomdata to Support SAML
This topic describes the steps to configure SAML settings in Zoomdata:
- Obtain the XML metadata file from your organization's SAML Identity Provider (IDP).
- Create a Key File using the Key Tool Generator program.
- Log into Zoomdata as the Supervisor and configure the SAML settings in the Security tab.
- Configure the service provider details in your IDP account that you want accessible by Zoomdata.
- Upload Identity Provider Metadata and add key files to Zoomdata.
- Configure the SAML mappings in Zoomdata.
In addition, there are optional configurations you can set up:
- Customizing the Zoomdata Entity ID
- Configuring the Auto-Redirect to the IDP
- Using the Network Time Protocol to Synchronize Time (avoids potential failure by the identity provider to authenticate SAML users)
- "Using the Network Time Protocol to Synchronize Time" in the online Zoomdata documentation (avoids potential failure by the identity provider to authenticate SAML users)
Obtain Identity Provider Metadata File
To enable Zoomdata to support your organization's identity provider, first obtain the metadata content from your IDP and upload into Zoomdata. Your Security Administrator responsible for managing IDPs can provide this file. Save this metadata file to your local hard drive for uploading into Zoomdata. Refer to the configuration instructions provided below.
The Key File helps you manage a keystore of cryptographic keys and trusted certificates. Generate the Key File using the keytool program available from Oracle. After generating a key file, you are able to import your SSL certificate into the keystore.
After installing the keytool program, take the following steps:
- Run the following command to generate your key:
- Replace localhost with a unique alias (or name) for your Key. This name is used (in the 'Key' field) when you set up SAML in Zoomdata.
- Replace mykeystore with a unique name for your Key Store file. This is the file that is uploaded into Zoomdata.
- The validity flag sets the expiration for the certificate for this key. This value can be changed accordingly based on how long your key is valid before expiring.
- At the prompt, create the keystore password (yourKeyStorePassword) and press Enter.
- For the next prompt, create a key password (yourKeyPassword) and press Enter.
- Enter the following command to import your SSL certificate (valid x.509) into the keystore:
- Replace yourAliasName with a unique name for your certificate.
- Replace yourcertr.cer with the name of your SSL certificate.
- Replace mykeystore with the Key Store filename that you created in Step 1 above.
The Key File is saved to your local hard drive. You will be uploading this Key File into Zoomdata in the configuration instructions provided below.
Step-By-Step Configuration Instructions
Access Zoomdata and take the following steps to configure SAML Settings:
Log in as Supervisor.
Click Supervisor and then select Security. Under Security Services tab, make sure that the SAML SSO service is running. Otherwise, enable it, save your changes, and restart Zoomdata for the changes to take effect.
For more information, see Managing Security Services.
Navigate to the SAML Settings tab.
In the General Settings section enable SAML:
ClickUpload Identity Provider Metadata to upload the IDP's metadata file into Zoomdata.
Specify the base URL to your Zoomdata Server that users will be logging into via SSO. It must be in the following format:
<scheme:>//<server>:<port>/zoomdataIf the base URL is changed after saving these SAML settings, update this field then reboot Zoomdata before downloading the metadata file.
Click Add Key File to upload the Key File (that you generated from the Keytool program).
Enter the following information related to the 'Key' fields:
- Key (alias): the unique alias you created for the Key (for example, we used
- Key Pass (word): your
- Key Store Pass (word): your
- Key (alias): the unique alias you created for the Key (for example, we used
ACTION: Return to your IDP account and configure the service provider information to allow Zoomdata access to the desired attributes (these fields are explained in the next section below):
Required Attribute in Zoomdata: Username
- Active account
- Full Name
Once you have configured the SAML attributes in your IDP account, you can update the SAML mappings:
From the Default Account list select the default account for the new users to be added to if no account mapping attribute is specified.
In the Account Mapping field, specify the SAML attribute which contains the comma separated list of Zoomdata accounts associated with the user to be imported into Zoomdata.
In the Active Account Mapping field, specify the SAML attribute which contains the name of the default Zoomdata account for the user.
In the Login Name Mapping field, specify the name of the attribute that contains user logins (as established in your IDP account). This field is required so that users can be imported into and given access to Zoomdata. The imported values will be used as login names for Zoomdata users.
In the Full Name Mapping field, specify the name of the SAML attribute containing users' full names.
In the Email Mapping field, specify the name of the SAML attribute containing users' emails.
In the Group Mapping field, specify the name of the SAML attribute containing the multivalue list of group names identifying user memberships.
If you want Zoomdata to automatically create groups for users if they don't exist in your environment yet, toggle on Auto Create Groups.
By default, groups created in Zoomdata via SAML does not have any permissions or access to data sources. The Zoomdata Administrator must manually assign privileges to the group. If using ADFS, make sure to add this attribute specified in the Username Mapping field as a claim rule name in ADFS. Otherwise, this attribute is not sent by the identity provider and causes the SAML login to fail. For more information, refer to Issue #4 in our commonly reported SAML issues.
The Group, Email, Account, Active Account, and Full Name Mapping fields are optional. Use these fields if you are looking to automate the setup of user and group attributes in Zoomdata. For information about the mapping options, see Overview of Implementing Single Sign-On via SAML in Zoomdata .
After you have set up all the necessary fields in the Zoomdata SAML Settings page and saved the configuration, the last step is to have Zoomdata generate the metadata file that is imported into your organization's IDP.
Download the metadata file by clicking the corresponding button. The metadata file is an XML file that you upload to your IDP. Successfully enabling SSO in Zoomdata results in a change to the login screen.
If you've already configured the SAML configuration and have made changes to the keystore, restart the Zoomdata server for these changes to take effect.
You still have the option to log into Zoomdata without using single sign-on. Selecting the Show Zoomdata Authentication option lets you log in using your Zoomdata credentials. The first time that users log into Zoomdata via SAML, Zoomdata automatically creates the user profile in the Users and Groups administrative page. In addition, if the user is a member of one or more groups, the Group(s) are also created (as long as the Group Mapping was provided during setup).
Mappings to Custom User Attributes
You can store additional attribute mappings that may be available in your IDP's SAML Assertions file (for example, Address, City, State and Zip Code). To add a custom user attribute, click the corresponding button. Specify the custom user attribute and SAML attribute into the corresponding fields.
- SAML Attribute- the name of the user attribute in the SAML provider
- Custom User Attribute - the name of the attribute Zoomdata displays
- Usage - how the name appears to the user
- Secure - if you want to encrypt specific custom attribute mappings, select this checkbox
If you want to encrypt specific custom attribute mappings, select the Secure checkbox for the required attributes pairs.
Configuring SAML Behind a Load Balancer
You need to configure the settings to work with Zoomdata using SAML if there is unencrypted communication between the proxy and back-end servers and the load balancer is configured to use SSL.
The default configuration parameters are as follows:
saml.lb.enabled=false saml.lb.scheme=https saml.lb.serverName=<www.myserver.com>
For example, for the following front-end URL
https://<myserver.com>/zoomdata, configure the settings in the
zoomdata.properties file as described below:
If your identity provider already contains a service provider using the entity ID 'zoomdata', you can create a unique entity ID for Zoomdata. Also, this is applicable if you have two or more separate Zoomdata instances and your IDP requires unique instance identifiers. To do this, you create an alias in the
Make sure that Base URL, that you specified while configuring SAML settings, is the same that was used for generating the metadata file with the corresponding entityId.
For help on accessing and editing the zoomdata.properties file, see Configuring Your Zoomdata Installation.
SAML can be configured to automatically redirect to the identity provider without prompting you with the Zoomdata login. To configure this, edit the
zoomdata.properties file and add the following parameter:
You can still log into Zoomdata using credentials by navigating your browser to
For guidance on accessing and editing the zoomdata.properties file, see Configuring Your Zoomdata Installation.
For basic SAML troubleshooting, see SAML Troubleshooting. If additional assistance is needed, reach out to our Technical Support team.