RapidMiner provides a convenient Single Sign On (SSO) functionality that integrates seamlessly with any existing Identity Access Management (IAM) platform, using the de facto standard SAML 2.0.
User authentication via SAML 2.0 (Security Assertion Markup Language) provides:
- administrators with a flexible way to configure the set of users who can use RapidMiner Server and to assign the appropriate rights to them.
- users with a convenient way to authenticate themselves, by using their existing corporate Identity Provider (IdP).
When SAML is configured, RapidMiner Server requests user authentication by an IdP service provider, such as Auth0 or Microsoft Azure Active Directory. The passwords of SAML users are not stored in the database of RapidMiner Server. Instead, login attempts are managed by the IdP, and the IdP responds with a SAML authorization decision.
If the login is successful, group membership on RapidMiner Server is assigned based on the configuration of mirror groups and the group memberships provided in the SAML response.
SAML authentication is disabled by default, as it requires some configuration from the administrator.
To use RapidMiner Server with SAML, the following steps are required:
- RapidMiner Server must be set up for HTTPS - see Enabling HTTPS
- The IdP must be configured to properly handle RapidMiner - see Set up IdP for use with RapidMiner below.
- RapidMiner must be configured for SAML use - See Enable SAML authentication
- RapidMiner must be configured with mirror groups
Set up IdP for use with RapidMiner
The setup of RapidMiner Server is described in Enable SAML authentication.
The IdP setup depends on the provider. Below are two common providers with some helpful configuration notes:
Auth0 see https://auth0.com/docs/protocols.saml/saml-idp-generic. Some basic settings for the Application are:
- Application Callback URL: https://SERVER_DNS:PORT/saml/SSO
- Application Type: ‘Regular Web Application’
- Token Endpoint Authentication Method: ‘Post’
- Allowed Callback URLs: https://SERVER_DNS:PORT/saml/SSO
- Allowed Logout URLs: https://SERVER_DNS:PORT/saml/SLO
Microsoft Azure Active Directory see https://docs.microsft.com/en-us/azure/active-directory/develop/quickstart-register-app. Some basic settings for the Application are:
- Redirect URIs Type ‘Web’ - Redirect URI https://SERVER_DNS:PORT/saml/SSO
- Logout URL https://SERVER_DNS:PORT/saml/SLO
- Implicit grant ‘Access tokens’ and ‘ID tokens’ selected.
- In the Manifest include ‘“groupMembershipClaims”: “All”,’ underneath the ‘“createdDateTime”’ key, for more info see https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-app-manifest
- The ‘group’ being provided to Rapidminer server in the SAML message for the user in question is the Microsoft Azure Active Directory ObjectId of the group. Admin must use these ObjectIds when mapping between RapidMiner defined group and IdP provided group, and not the group strings name. This will be important to remember when setting up [mirror groups] configuration.
- Enable SAML authentication
- Set up mirror groups configuration to automatically manage LDAP/SAML users
- Configure username and group filters to restrict access to RapidMiner Server to only a specific set of LDAP users
- Encrypt the local-security settings
- Enabling HTTPS
- Radoop Proxy can be extended to support this authentication method see documentation here.