Single sign-on
Graphlytic supports Single sign-on integration with external Identity Providers using the SAML2 protocol.
How it works
When the SAML2 integration is enabled (configured in graphlytic.conf or using environment variables) the Login page includes an SSO login option (title of the button is configurable).
After clicking on the "External SSO" option the user is redirected to the login page of the IdP.
After successful login on the IdP side and redirect back to the Graphlytic application the user is logged into the application with these possible scenarios:
The user already exists in Graphlytic: then the user is logged into the application and his user group mappings are updated according to the information received from IdP and mapping defined in the SAML2 integration configuration.
The user is not yet created in Graphlytic: then the user is created (if the licensed amount of users was not reached yet) and his user group mappings are updated according to the information received from IdP and mapping defined in the SAML2 integration configuration.
Configuration
In order to enable SAML2 integration please add these properties to graphlytic.conf file:
Property |
Example value |
Description |
SAML2 IdP connection |
||
saml2.idpid.name |
External SSO |
Title of the Login page button. |
saml2.idpid.certificate.signing |
/usr/local/graphlytic/conf/idp-pub |
Path to the IdP certificate for signing. |
saml2.idpid.certificate.encryption |
/usr/local/graphlytic/conf/enc-pub |
Path to the IdP certificate for encryption. Can be empty for no encryption. |
saml2.idpid.entity.remote |
active_directory_id |
The IdP entity identifier (Entity ID). |
saml2.idpid.entity.local |
graphlytic_idp_id |
The local application (Graphlytic) ID for IdP communication. Has to be created in the IdP configuration. |
saml2.idpid.webSsoUrl |
https://idp_url_for_login.com/sso |
Login redirect URL. User will be redirected to this location during the login workflow. |
saml2.idpid.groupClaim |
http://wso2.org/claims/role |
The claim name in the returned XML where the user group mappings are returned. |
saml2.idpid.defaultGroup |
Name_of_the_group |
Name of a Graphlytic user group that will be used if no mapping was successful. If the defaultGroup is not configured or the group doesn't exist in Graphlytic then such user (with no user groups) is not created in Graphlytic (to minimize license consumption). |
Group mapping |
||
saml2.idpid.groups.SomeActiveDirGroup |
gl-administrators |
Group mapping "SomeActiveDirGroup" >> "gl-administrators" |
saml2.idpid.groups.OtherActiveDirGroup |
custom-gl-group |
Group mapping "OtherActiveDirGroup" >> "custom-gl-group" |
Example
# SAML2 IdP connection
saml2.idpid.name=External SSO
saml2.idpid.certificate.signing=c:/usr/local/graphlytic/conf/idp-pub
saml2.idpid.certificate.encryption=
saml2.idpid.entity.remote=active_directory_id
saml2.idpid.entity.local=graphlytic_idp_id
saml2.idpid.webSsoUrl=https:
//idp_url_for_login.com/sso
saml2.idpid.groupClaim=http:
//wso2.org/claims/role
saml2.idpid.defaultGroup=Name_of_the_group
# Group mapping
saml2.idpid.groups.SomeActiveDirGroup=gl-administrators
saml2.idpid.groups.OtherActiveDirGroup=custom-group