Single sign-on

Graphlytic supports Single sign-on integration with external Identity Providers using the SAML2 protocol.

How it works

When the SAML2 integration is enabled (configured in graphlytic.conf or using environment variables) the Login page includes an SSO login option (title of the button is configurable).

images/download/thumbnails/44499251/login.png

After clicking on the "External SSO" option the user is redirected to the login page of the IdP.

After successful login on the IdP side and redirect back to the Graphlytic application the user is logged into the application with these possible scenarios:

  1. The user already exists in Graphlytic: then the user is logged into the application and his user group mappings are updated according to the information received from IdP and mapping defined in the SAML2 integration configuration.

  2. The user is not yet created in Graphlytic: then the user is created (if the licensed amount of users was not reached yet) and his user group mappings are updated according to the information received from IdP and mapping defined in the SAML2 integration configuration.

Configuration

In order to enable SAML2 integration please add these properties to graphlytic.conf file:

Property

Example value

Description

SAML2 IdP connection

saml2.idpid.name

External SSO

Title of the Login page button.

saml2.idpid.certificate.signing

/usr/local/graphlytic/conf/idp-pub

Path to the IdP certificate for signing.

saml2.idpid.certificate.encryption

/usr/local/graphlytic/conf/enc-pub

Path to the IdP certificate for encryption. Can be empty for no encryption.

saml2.idpid.entity.remote

active_directory_id

The IdP entity identifier (Entity ID).

saml2.idpid.entity.local

graphlytic_idp_id

The local application (Graphlytic) ID for IdP communication. Has to be created in the IdP configuration.

saml2.idpid.webSsoUrl

https://idp_url_for_login.com/sso

Login redirect URL. User will be redirected to this location during the login workflow.

saml2.idpid.groupClaim

http://wso2.org/claims/role

The claim name in the returned XML where the user group mappings are returned.

saml2.idpid.defaultGroup

Name_of_the_group

Name of a Graphlytic user group that will be used if no mapping was successful. If the defaultGroup is not configured or the group doesn't exist in Graphlytic then such user (with no user groups) is not created in Graphlytic (to minimize license consumption).

Group mapping

saml2.idpid.groups.SomeActiveDirGroup

gl-administrators

Group mapping "SomeActiveDirGroup" >> "gl-administrators"

saml2.idpid.groups.OtherActiveDirGroup

custom-gl-group

Group mapping "OtherActiveDirGroup" >> "custom-gl-group"

Example

# SAML2 IdP connection
saml2.idpid.name=External SSO
saml2.idpid.certificate.signing=c:/usr/local/graphlytic/conf/idp-pub
saml2.idpid.certificate.encryption=
saml2.idpid.entity.remote=active_directory_id
saml2.idpid.entity.local=graphlytic_idp_id
saml2.idpid.webSsoUrl=https://idp_url_for_login.com/sso
saml2.idpid.groupClaim=http://wso2.org/claims/role
saml2.idpid.defaultGroup=Name_of_the_group
 
# Group mapping
saml2.idpid.groups.SomeActiveDirGroup=gl-administrators
saml2.idpid.groups.OtherActiveDirGroup=custom-group