Configuring single sign-on
Overview
Continuous Data and Continuous Compliance Engines above version 5.3.3 support authentication via the SAML 2.0 standard (SP initiated and IdP initiated).
This page provides instructions on how to set up Single Sign-on (SSO) on the Data Engine. Single Log-out (SLO) is not supported. This means that logging out of a Data Engine will not terminate sessions on other Data Engines, nor will it terminate the IdP session.
Identity provider configuration
The steps to configure an Identity Provider (IdP) are specific to each IdP product (e.g. Okta, OneLogin, PingFederate). The terminology may vary, but one SAML 2.0 application (or SP connection) will need to be created for each Data Engine. The engine does not expose a metadata document. The following attributes must be entered:
ACS URL (Assertion Consumer Service URL):
http(s)://<delphix-engine>/sso/response
Delphix strongly recommends that HTTPS is used instead of HTTP for all UI and API communication with the Data Engine. For HTTPS or the automatic HTTP to HTTPS redirect, use the
https://
scheme in the ACS URL, otherwise use thehttp://
scheme. Refer to the CLI Cookbook: Changing HTTP and HTTPS web connections page on how to set up HTTPS.
SAML Bindings: Data Engines support the POST and redirect bindings.
Audience Restriction (SP entity ID, Partner’s Entity ID): The audience restriction must be set to the entity id configured in the Delphix Server via the Delphix Setup (see below). The default value is
https://<Delphix Server ID>
where <Delphix Server ID> is a 36-character hexadecimal string of the form xxxxxxxx-xxxx-xxxx-xxxxxxxxxxxx. See the Determining the Delphix Server ID and Host Name for more on the Delphix Server ID.If the Data Engine does not exist or is unreachable, enter a temporary value (such as
delphix-sp-id
) to later be replaced by the actual Delphix Server ID.
Signature policy: The Data Engine does not sign authentication requests; it requires that either the responses, assertions, or both are signed.
Name ID: The SAML
NameID
attribute must be set to the email address of the user. See the User management when SSO is enabled section below for more information.
The SP initiated flow must be enabled in the IDP.
New engine configuration
Follow this procedure when installing a new Data Engine.
Connect to the Data Engine at
http://<DataEngine>/login/index.html#serverSetup
. The Delphix Setup application will launch when connecting to the server.Enter the sysadmin login credentials; this account has a default username of sysadmin and password of sysadmin.
In the Authentication step of the Delphix Setup wizard, check the use SAML/SSO box and enter the required information:
The entity id is a unique identifier of the Data Engine for SSO providers. The default value is https://<Delphix Server ID>, where <Delphix Server ID> is a 36-character hyphen-separated string in the form of 8 chars, 4 chars, 4 chars, 4 chars, and 12 chars (e.g.
00000000-0000-00aa-aa00-0000aa0000aa
). This is just an identifier; there is no resource at that URL. This value can be changed to any string, but note that some identify providers require this to have a URL format.The IdP metadata is an XML document that must be exported from the application created in the IdP (see the Identity provider configuration section above).
Optional Advanced settings include the response skew time, which is the maximum time difference allowed between a SAML response and the engine's current time, in seconds. If not set, it defaults to 120 seconds. The maximum age of IdP authentication indicates how far in the past to accept authentications to the identity provider, in seconds. If not set, it defaults to 86,400 seconds (one day).
Complete the remaining setup steps as usual.
Existing engine configuration
Follow this procedure to enable SSO on an already configured engine.
Connect to the Data Engine at
http://>>
. The Delphix Setup application will launch once connected to the server.Enter the sysadmin login credentials.
In the Authentication tile, select Modify.
In the Authentication dialog, check the use SAML/SSO box, then enter the entity id (if not using the default), IdP metadata, and the optional advanced time settings (described in the New engine configuration section).
Engine type
If this is an upgraded engine, make sure the engine type is set from the banner of the ServerSetup application dashboard.
User management when SSO is enabled
Access to the Delphix Setup application is not affected by the use of SSO, it only affects access to the Delphix Management Application and Compliance Application. When SSO is enabled, authentication to the Delphix Management Application or Compliance Application UIs are performed via SAML/SSO instead of a combination of username and password. Non-administrators can no longer change their email address.
An administrator must create a Delphix user for each user to whom access via SSO must be granted. The Delphix user can be used to assign roles and permissions. The email address of the Delphix user is used to match users authenticated via SAML/SSO and must be set to the exact value defined in the IdP. This same value is used in the NameID
attribute of the SAML response. Supported NameID
formats are as follows.
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
If multiple Delphix users share an email address, all Delphix users will have access to the SAML/SSO session.
Once SSO is enabled, usernames and passwords (LDAP or locally stored) still need to be used for API access, and newly created user will have API access disabled by default.
API access
Neither the API access for use in scripts and integrations nor the Continuous Data CLI access requires SSO. Instead, username and password (optionally with LDAP integration) authentication must be used for API or CLI access. When SSO is enabled on a Data Engine, new users by default will have no API access and no password. Administrators can enable API access for any user through the User Management or Masking UIs. The user’s password or LDAP credentials are used for API authentication.
Users created before enabling SSO will maintain their API access. Users with API access but no email address are useful for scripts or integration via the API – they cannot be used to log in via the UI. When SSO is enabled, only administrators can change or set email addresses.
A user with API access may also log in via SAML into an SSO-enabled engine through the UI when they have an email set.
Troubleshooting
If authentication via SSO fails with a message stating that the issue time is either too old or in the future, the error is due to the time on the Data Engine not being in sync with the time of the Identity Provider server. If the time on the Data Engine is not correct, correct the time settings manually or configure NTP. Alternatively, update the response skew time parameter (see the Existing engine configuration section).
If authentication via SSO fails with a message stating that the authentication to the Identity Provider is too old, re-authenticate with the identity provider or adjust the maximum age parameter (see the Existing engine configuration section).