Categories

Versions

You are viewing the RapidMiner Server documentation for version 9.4 - Check here for latest version

Enable SAML authentication

Identity Provider Settings

The Identity Provider (IdP) must be set up to provide the property Redirect URIs on successful logins to https://host:port/saml/SSO

The IdP can provide a logout URL redirection to https://host:port/saml/SLO

See SAML authentication - Set up IdP for use with RapidMiner for more details.

Changing SAML settings

By default, SAML authentication for RapidMiner Server is disabled. If you want to enable it, you need to modify the property file local-security.properties, located in the in the /configuration subfolder of your RapidMiner Server home directory, and restart RapidMiner Server.

System environment variables can be referenced by using the ${env} notation in the value field (i.e. saml.metadata.idp.filePath=file:/${SAML_DIR}/idp.xml ). See standalone.conf file for complete list of environment variables created at startup, useful environment variables to utilize here could be ${rmserver.home.dir}, ${rapidminer.user-home}, and ${jboss.server.config.dir}.

System environment variables can replace properties simply by defining them with the same name on the system and removing (or commenting out) the property from the file.

#
# Properties for using SAML authentication with RapidMiner Server
#
# Quick SAML abbreviations:
# - IdP - Identity Provider. It is a 3rd party application responsible for the authentication
# - SP - Service Provider. Any application which uses the IdP to authenticate a user which tries to
#                          access a resource protected by this service. 
#              In this context RapidMiner Server is an SP
#

#
# Authentication source defines fundamental behaviour of RapidMiner Server
# It decides authentication experience and the identity source 
# (primary source of checking the user credentials and organisational group membership information)
#
# DB          - Unauthenticated user will be displayed a form based login and DB or direct LDAP connection
#               will act as an the identity store
# SAML        - Unauthenticated user will be immediately displayed an login screen of an IdP
#               (to which RapidMiner server is registered to) and
#               solely the IdP is responsible to act as an the identity store
# DB_AND_SAML - Mixed mode. Unauthenticated user will be displayed a form based login where he 
#       has the option to choose between DB/LDAP or SAML experience. This mode is for experimenting 
#       with SAML configuration and helping the transition from DB/LDAP to SAML mode. 
#       It is not recommended to use this mode in production
#
# Default value is 'DB' to preserve backward compatibility with versions prior to 9.3.0
#
rmserver.authentication.source=SAML

#
# Authentication strategy used to fetch the information details of a logged in user
# useLocalProfile - Existing user accounts are going to be mapped by user email addresses so need to 
#           have a user established RapidMiner Server first (with the correct the email address) 
#           to allow access.  The user account on RapidMiner server needs to also have correct 
#           permission/group established. This is a 'read only' setup thus new users will not be 
#           created in RapidMiner Server upon login but rather access will be denied. 
#           (Default setting)
#
# syncOnLogon     - Mirror user locally by syncing there personal details (user unique id, displayable user
#           name, email address and organisational group membership) from IdP after successful login.
#                   Details of the user is fetched solely from the SAML response message and only during login.
#                   New users are created upon first successful login. With their privileges either mirrored 
#           based on predefined organisational group <-> privileges mappings or static privileges 
#           setup 
#           (for RapidMiner Server groups which have enabled the setting of all new user membership)
#
saml.userDetails.implementation=syncOnLogon

#   
# SamlUser mappers
# nameIdMapper - figures out username from userNameAttribute and replaces illegal 
# characters with 'saml.userDetails.mapping.legalReplacement' value
# emailAttributeMapper - figures out username userNameAttribute assumes format of <username>@<domain>
# userNameAttributeMapper -figures out username from userNameAttribute 
#
saml.userDetails.mapping.implementation=emailAttributeMapper

#
# if saml.userDetails.mapping.implementation=emailAttributeMapper then 
# username is taken from the userNameAttribute assumes form <username>@<domain>
# true - drops the '@<domain>' for user name usage
# false - keeps the full string without removing
#
saml.userDetails.mapping.trimEmailDomain=true

#
# Attribute to use to find userName in the SAML message
#
saml.userDetails.mapping.userNameAttribute=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier

#
# Attribute to use to find the user email in the SAML message
#
saml.userDetails.mapping.emailAttribute=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

#
# Attribute to use to find the user display name in the SAML message
#
saml.userDetails.mapping.displayNameAttribute=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

#
# Attribute to use to find the users assigned groups in the SAML message
#
saml.userDetails.mapping.groupsAttribute=http://schemas.xmlsoap.org/claims/Group

#
# Replace black listed characters in username, when this is set to true
#   Blacklisted charactors are '/\:<>*?"|'
#
saml.userDetails.mapping.replaceBlacklistCharsInUserName=true

#
# Replacement character to use when saml.userDetails.mapping.replaceBlacklistCharsInUserName is true
#
saml.userDetails.mapping.legalReplacement=!


#
# Uniform Resource Name of the Service Provider to identify requester of the authentication to the IdP
#
# Microsoft Azure Active Directory - Value can be taken from 
#  the App registration 'Application (client) ID' field just
#  need to append 'spn:' to the string
# Can also pulli an identifierUris in the form of 'api://<Application (client) ID>'
# or
# urn:<entity id>
#
saml.metadata.sp.entityId=

#   
# the servers base URL exposed to the user
#
saml.metadata.sp.entityBaseURL=http(s)://host:port

#
# When true generated metadata will be signed using key specified in 'jksKeyManager'
# default value is false
#
saml.metadata.sp.signMetadata=false

#
# Unique identifier of the service provider
# normally starts with 'urn:'
#
saml.metadata.idp.entityId=

#
# full filePath in URL form (i.e 'file:/') of the IdP information
#
saml.metadata.idp.filePath=file:///C:/configuration/idp.xml

#
# Enable functionality for storing public certificates of the IdP and 
# private key of the Service Provider (SP)
# Available options:
# nullKeyManager - an empty functionality for non SAML enabled RapidMiner Server 
#          deployments (this is the default)
# jksKeyManager  - Java Key Store (JKS) based implementation. Choose this if SAML is required
#
saml.keyManager.implementation=jksKeyManager

#
# The following properties are defining the access to the security information required by JKS KeyManager 
# when saml.keyManager.implementation is set to 'jksKeyManager', else values are ignored.
# keys are prefixed with 'saml.jksKeyManager.*'
#
# keyStore.filePath - Location of the keyStore expected to be a .jks file accessible 
#              for the RapidMiner Server
# keyStore.password - Password to use to access the JKS key store with
# key.sp.alias - A simple string alias which refers to the private key of the SP within the JKS file
# key.sp.password - Password to use to access the private key with (within the JKS key store)
#
saml.jksKeyManager.keyStore.filePath=file:///C:/configuration/jksfile.jks
saml.jksKeyManager.keyStore.password=JKS_PASS
saml.jksKeyManager.key.sp.alias=alias
saml.jksKeyManager.key.sp.password=ALIAS_PASS

#
# Should the logout request/response be signed
# The Certificate Authority (CA) and signing keys need to be in the
# JKS via the saml.jksKeyManager properties
#
saml.metadata.idp.requireLogoutRequestSigned=false
saml.metadata.idp.requireLogoutResponseSigned=false

#
# Maximum time between users authentication and processing of the response message
# default value is 7200 seconds
#
saml.profiles.maxAuthenticationAge=7200

#
# Maximum time between assertion creation and current time when the assertion is usable
# default value is 3000 seconds
#
saml.profiles.maxAssertionTime=3000

#
# Maximum time from response creation when the message is deemed valid.
# in place to handle potional clock skew between client and server
# default value is 60 seconds
#
saml.profiles.responseSkew=60

#
# Determines if all SAML messages should be logged 
# by the 'org.springframework.security.saml.log.SAMLDefaultLogger'
# default value is true
#
saml.audit.logMessages=true

#
# Determines if only error messages should be logged 
# by the 'org.springframework.security.saml.log.SAMLDefaultLogger'
#   this has no affect if saml.audit.logMessages is true
# default value is true
#
saml.audit.logErrors=true

The content of the property file depends on your environment. In the following we list two example configurations for different authentication providers.

rmserver.authentication.source=SAML

saml.userDetails.implementation=syncOnLogon

saml.userDetails.mapping.implementation=emailAttributeMapper
saml.userDetails.mapping.trimEmailDomain=true
saml.userDetails.mapping.userNameAttribute=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
saml.userDetails.mapping.emailAttribute=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
saml.userDetails.mapping.displayNameAttribute=http://schemas.microsoft.com/identity/claims/displayname
saml.userDetails.mapping.groupsAttribute=http://schemas.microsoft.com/ws/2008/06/identity/claims/groups

saml.metadata.sp.entityId=spn:1c2aa34e-dd56-7894-a98d-49089522a383
saml.metadata.sp.entityBaseURL=https://localhost:8443
saml.metadata.idp.entityId=https://sts.windows.net/c9ceead9-9ea8-34a3-8a54-31b4bf4c0fb2/
saml.metadata.idp.filePath=file:/rmserver/configuration/idp.xml

saml.keyManager.implementation=jksKeyManager

saml.jksKeyManager.keyStore.filePath=file:/rmserver/configuration/samlsp.jks
saml.jksKeyManager.keyStore.password=changeit
saml.jksKeyManager.key.sp.alias=samlsp
saml.jksKeyManager.key.sp.password=changeit

#
# Finetune timeouts tailored for MSAD
#
# maxAuthenticationAge tells how old a user credential exchange can be to be accepted by SP 
# from the IdP-s response
#
# Normally we do not want to limit IdP-s decision if the SAMLResponse is otherwise fresh
#
# Biggest observed authentication age was two months (probably there can be bigger ones) 
# so setting this to 1 year in seconds
#
saml.profiles.maxAuthenticationAge=31536000

#
# enable or disable LDAP authentication
#
ldap.enabled=falset.enabled=false
rmserver.authentication.source=DB_AND_SAML

saml.userDetails.implementation=syncOnLogon

saml.userDetails.mapping.implementation=emailAttributeMapper
saml.userDetails.mapping.trimEmailDomain=true
saml.userDetails.mapping.userNameAttribute=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
saml.userDetails.mapping.emailAttribute=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
saml.userDetails.mapping.displayNameAttribute=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
saml.userDetails.mapping.groupsAttribute=http://schemas.xmlsoap.org/claims/Group


saml.metadata.sp.entityId=urn:sp.auth0demo.com
saml.metadata.sp.entityBaseURL=https://localhost:4443
saml.metadata.idp.entityId=urn:something.auth0.com
saml.metadata.idp.filePath=file:/rapidminer-home/configuration/idp.xml

saml.keyManager.implementation=jksKeyManager

saml.jksKeyManager.keyStore.filePath=file:/rapidminer-home/configuration/samlsp.jks
saml.jksKeyManager.keyStore.password=changeit
saml.jksKeyManager.key.sp.alias=samlsp
saml.jksKeyManager.key.sp.password=changeit

ldap.enabled=true

ldap.providerUrl=ldap://localhost:9389/dc=example,dc=org

ldap.user=cn=admin,dc=example,dc=org
ldap.password=changeit

# search settings
ldap.search.base=ou=rnd_department
ldap.search.filter=(&(objectClass=inetOrgPerson)(uid={0}))

# group properties
ldap.group.roleAttribute=ou

# user properties
ldap.user.displayNameAttribute=cn
ldap.user.emailAttribute=email

ldap.cache.timeout=60

ldap.connection.timeout=10000

During the initial setup phase of SAML, it might be helpful to have a look at login messages and errors. To enable logging these to the console output of RapidMiner Server, you need to edit the standalone.xml located in the standalone/configuration folder of your RapidMiner Server installation. Find the <subsystem xmlns="urn:jboss:domain:logging:1.5"> entry and change the level of the <console-handler name="CONSOLE"> to DEBUG. Note that by default, these messages are already logged to the server.log located in the standalone/log folder of RapidMiner Server.

SAML Authentication also logs to a custom log file in log directory called authentication-audit.log.

See Authentication Audit Logging for more info..

See JBoss Best Practices/Logging for more info on log levels..

You can also encrypt the content of your local-security.properties. Look here to find out how.