Like what you see? Have a play with our trial version.

Error rendering macro 'rw-search'

null

Versions Compared

Old Version 2

changes.mady.by.user Wendy R

Saved on

compared with

New Version 3

changes.mady.by.user Wendy R

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Updated with 9.7 authentication improvements

...

Prepare for SAML implementation

Styleclass
ClasstopLink

top

Before setting up SAML within Yellowfin, make sure you have a good understanding of the fields you’ll be required to address. The tables below provide further details for each of the fields.

...

Parameter

Description

Required?

Default

Service Provider SSO URL

The SSO Single Sign On endpoint URL that your IdP will use to reach the Yellowfin login page. This is typically your external base URL followed by /SAMLLogin.i4

Required

ext_base_url/SAMLLogin.i4

Audience Restriction

This is sometimes referred to as the ‘Service Provider Entity Id’ or ‘Issuer Id’. It's the identifier of the Yellowfin SAML service. This is typically your external base URL followed by /SAMLMetadata.i4

Required

ext_base_url/SAMLMetadata.i4

Encryption Certificate

This certificate is used by the IdP to encrypt traffic going to Yellowfin. As mentioned earlier on this page, you must generate your own SSL key pair and provide the encryption certificate here.

Required if the toggle for Incoming Requests Encrypted is enabled

None

...

Encryption if the toggle for Incoming Requests Encrypted is enabledEncryption

Parameter

Description

Required?

Default

Identity Provider EntityId

Sometimes referred to as the ‘audience URI’ or ‘audience restriction’, this identifies the entity of the service provider. This is typically in the format of

<your_idp_domain>/<sp_id>

For example,

 www.okta.com/ekti172b2ac0843Xf

Required

None

Identity Provider SSO URL

The SSO endpoint Single Sign On endpoint URL of the SAML identity provider, which your IdP should display clearly within their own configuration page. This is in the format of:

<your_sso_domain>/<path_to_spidp_sso_login>

For example,

 login.mybusiness.com/app/yellowfin1/ekti172b2ac0843Xf/sso

Required

None

Identity Provider Certificate

This certificate decrypts requests from the identity provider. Your identity provider should make this certificate obvious in their configuration.

Required

None

Incoming Certificate Verification Algorithm

This algorithm verifies the incoming identity provider certificate. Choose from three different hash lengths to match whatever your incoming certificate uses:

  • SHA256
  • SHA384
  • SHA512

Required

SHA256

Incoming Requests Encrypted

This toggle dictates whether incoming SAML requests will be encrypted by the identity provider. Switch on for higher security.

Toggle

Off

SLO URL

The Single Logout endpoint URL of the SAML identity provider, which your IdP should display clearly within their own configuration page. This option tells Yellowfin where to point SLO responses. This is in the format of:

<your_slo_domain>/<path_to_idp_slo_logout>

For example,

 login.mybusiness.com/app/yellowfin1/ekti172b2ac0843Xf/slo

Required

None

Identity Provider SLO URL Response

This is an optional parameter which is only required if your IdP's endpoint for SLO responses is not the same as the one is uses for SLO requests. If nothing is entered, Yellowfin will use the URL  entered in the Identity Provider SLO URL field. This is in the format of:

<your_slo_domain>/<path_to_idp_slo_logout_response>

For example,

 login.mybusiness.com/app/yellowfin1/ekti172b2ac0843Xf/sloreponse
OptionalNone
Identity Provider Certificate

This certificate decrypts requests from the identity provider. Your identity provider should make this certificate obvious in their configuration.

 RequiredNone

Service Provider

Private Key

This private key decrypts incoming encrypted SAML requests from the identity provider. As mentioned earlier on this page, you must generate your own SSL key pair and provide the private key here. 

Required

None

Service Provider Certificate

This certificate verifies incoming encrypted SAML requests from the identity provider. As mentioned earlier on this page, you must generate your own SSL key pair and provide the encryption certificate here.

Required

None

Signature Algorithm

This algorithm verifies the incoming identity provider certificate. Choose from three different hash lengths to match whatever your incoming certificate uses:

  • RSA-SHA256
  • RSA-SHA384
  • RSA-SHA512

If you're not sure, use the default.

Required

RSA-SHA256

Digest Algorithm

This algorithm verifies the incoming identity provider certificate. Choose from three different hash lengths to match whatever your incoming certificate uses:

  • SHA256
  • SHA384
  • SHA512

If you're not sure, use the default.

RequiredSHA256

Incoming Requests Encrypted

This toggle dictates whether incoming SAML requests will be encrypted by the identity provider. Switch on for higher security.

Toggle

Off if the toggle for Incoming Requests Encrypted is enabledNone

UserId Attribute

This field holds the Yellowfin user ID (typically a username or an email field, depending on your system configuration).

Required

None

Client Reference Id Attribute

This parameter provides the location of the Client Reference Id of the client org that the user belongs to. Normally, this is either left blank or set to ‘1’ for Yellowfin instances that have no related client orgs.

Not required

None

SSO Entry Options Attribute

This is a parameter takes the SAML attribute that holds comma-separated list of session parameters if you wish to automatically direct the user to a particular page or loginweb service session parameter values to be passed to the session created by the SAML SSO process. Leave blank to direct the user to their default entry page.

See the Customize Data with CustomParameters and Parameters section for more details and an example.

Not required

None

Custom Session Parameter Attribute

This

field holds the value of a custom variable to pass

parameter allows options that can be passed via the Parameters option on an SSO web service call to be passed to the session created by the SAML SSO

. Leave blank if there is no custom data to pass

process.

This is attribute-based and can apply to individual users.

Not required

None

Onboard New Users

Enabling this toggle will allow SAML to provision new users automatically. If you don’t wish to provision new users, do not enable the toggle.

Not required

Off

...

This page does not cover how to set up an identity provider, as there are many providers, each with different configuration processes. The page covers the basics that you will need to implement SAML for your Yellowfin users.

Setup SAML

Styleclass
ClasstopLink

top

...

Setup SAML

To configure a SAML provider, follow the steps below.

  1. From the Yellowfin burger bun menu  in the top left corner, click on Administration, then Configuration
  2. Click on the Authentication tool (the lock), then on Authentication Method
  3. Click on the toggle for SAML Single Sign On to enable it
    A new section called SAML Configuration will appear. This is where everything related to SAML SSO is configured:

    Click on SAML Configuration to expand the section
  4. Refer to the preceding table to enter values for the required fields: Identity Provider EntityId, Identity Provider SSO URL and , Identity Provider SLO URL, Identity Provider Certificate, Signature Algorithm, Digest Algorithm, and User Id Attribute
  5. Refer to the preceding table and the following content to enter any other values for the other, non-mandatory fields described (see the image below for an example)
    Image RemovedImage Added

Enable SAML onboarding


Styleclass
ClasstopLink

top

...

Enable SAML onboarding

Yellowfin can be configured to create new user accounts for any user who does not already exist in the system. This feature is called “onboarding”, and requires some additional configuration to provide Yellowfin with the information required to create new users from a SAML request. All of the following parameters must be set up and configured in the identity provider and Yellowfin to match the other attribute mapping parameters above. 

...

  1. Ensure you’re in the same configuration screen described in the preceding steps
  2. Click on the Onboard New Users toggle to enable it

  3. Refer to the preceding table to enter values for the required fields: First Name Attribute, Last Name Attribute and Email Attribute
  4. Refer to the preceding table to enter any other values for the other, non-mandatory fields described (see the image below for an example)

Customize data with CustomParameters and Parameters



Styleclass
ClasstopLink

top

...

Customize data with CustomParameters and Parameters

If you already take advantage of the CustomParameters and Parameters options on an SSO web services call, these can also be added to SAML by using the fields SSO Entry Options and SSO Custom Session Variable Attribute. 

SSO Entry Options

The SSO Entry Options field allows configuration of the available features in the resulting Yellowfin session after users log in via SAML. These are the same options that can be set on a web service SSO login using the ‘CustomParameters’ optionAttribute field allows custom data per user that can be passed via the CustomParameters option on an SSO web service to be passed to a session created by the SAML SSO process. This is attribute based, so it can be applied to individual users.

The SSO Entry Options Attribute field allows custom session variables to be set on a per-session basis when using SAML Single Sign On. The attribute can contain webservice SSO Session Options that will be applied to the session created by the SAML SSO process.. This is not attribute-based, so it applies to all users. 

For example, if you want all your users a user to see their favourite reports, dashboards, stories etc. and so on when they login, you could use create a SAML attribute called SsoOptions with the TIMELINE and DISABLEHEADER and DISABLEHEADER parameters (or any others listed on theDefining Login Session Options wiki page). We’ll use these for our example below.

  1. In the SAML Configuration area of Yellowfin, locate the SSO Entry Options fieldAttribute field
  2. Type the name of your SAML attribute
    Enter any parameters, separated by commas, that you wish to use
    In our example below, we’ve used ENTRY=TIMELINE,DISABLEHEADER=TRUE
    Image Modified
  3. Click on the Save button to save your changes

You can test that your changes worked by logging in using your JWT SAML token and checking that the login options you’ve specified are displayed.

...

In Yellowfin, the only requirement is to add those details to the Custom Session Parameter Attribute field. 

horizontalrule


Styleclass
ClasstopLink

59998210top

...