Page History
...
Yellowfin can manage signed requests from the identity provider to increase security. This feature is turned on by default, but requires some configuration. You must provide the signing certificate of the identity provider as well as the signing algorithm so that Yellowfin can decrypt the incoming signed requests. The identity provider should make these values obvious in their configuration.
...
Encrypted Requests
Yellowfin can also be configured to manage encrypted requests from the identity provider to further increase security. This can be toggled independently from the signed requests settings. You must generate an SSL key pair to give to Yellowfin (see onelogin.saml2.sp.x509cert
and onelogin.saml2.sp.privatekey
in the table on this wiki page). This is not provided by the system. Once you have those, you must then provide the private key and the certificate to Yellowfin in their respective configuration fields, as well as configure this setting in your identity provider and setup the SSL encryption certificate in their configuration.
...
Your IdP will require the following fields.
Parameter | Description | Required? | Default |
---|---|---|---|
Service Provider SSO URL | The Single Sign On endpoint URL that your IdP will use to reach the Yellowfin login page. This is typically your external base URL followed by /SAMLLogin.i4 | Required | ext_base_url/SAMLLogin.i4 |
Audience Restriction | This is sometimes referred to as the ‘Service Provider Entity Id’ or ‘Issuer Id’. It's the identifier of the Yellowfin SAML service. This is typically your external base URL followed by | Required | ext_base_url/SAMLMetadata.i4 |
Encryption Certificate | This certificate is used by the IdP to encrypt traffic going to Yellowfin. As mentioned earlier on this page, you must generate your own SSL key pair and provide the encryption certificate here. | Required if the toggle for Incoming Requests Encrypted is enabled | None |
Yellowfin requires the following fields.
Parameter | Description | Required? | Default |
---|---|---|---|
Identity Provider EntityId | Sometimes referred to as the ‘audience URI’ or ‘audience restriction’, this identifies the entity of the service provider. This is typically in the format of <your_idp_domain>/<sp_id> For example, www.okta.com/ekti172b2ac0843Xf | Required | None |
Identity Provider SSO URL | The Single Sign On endpoint URL of the SAML identity provider, which your IdP should display clearly within their own configuration page. This is in the format of: <your_sso_domain>/<path_to_idp_sso_login> For example, login.mybusiness.com/app/yellowfin1/ekti172b2ac0843Xf/sso | Required | None |
Identity Provider SLO URL | The Single Logout endpoint URL of the SAML identity provider, which your IdP should display clearly within their own configuration page. This option tells Yellowfin where to point SLO responses. This is in the format of: <your_slo_domain>/<path_to_idp_slo_logout> For example, login.mybusiness.com/app/yellowfin1/ekti172b2ac0843Xf/slo | Required | None |
Identity Provider SLO URL Response | This is an optional parameter which is only required if your IdP's endpoint for SLO responses is not the same as the one is uses for SLO requests. If nothing is entered, Yellowfin will use the URL entered in the Identity Provider SLO URL field. This is in the format of: <your_slo_domain>/<path_to_idp_slo_logout_response> For example, login.mybusiness.com/app/yellowfin1/ekti172b2ac0843Xf/sloreponse | Optional | None |
Identity Provider Certificate | This certificate decrypts requests from the identity provider. Your identity provider should make this certificate obvious in their configuration. | Required | None |
Service Provider Private Key | This private key decrypts incoming encrypted SAML requests from the identity provider. |
As mentioned earlier on this page, you must generate your own SSL key pair and provide the private key here. |
|
Required | None |
Service Provider Certificate | This certificate verifies |
incoming encrypted SAML requests from the identity provider |
Optional
. As mentioned earlier on this page, you must generate your own SSL key pair and provide the encryption certificate here. |
Although optional, it is recommended that you provide this private key for Yellowfin to sign requests.
Required |
None | |||
Signature Algorithm | This algorithm verifies the incoming identity provider certificate. Choose from three different hash lengths to match whatever your incoming certificate uses:
If you're not sure, use the default. | Required | RSA-SHA256 |
Digest Algorithm | This algorithm verifies the incoming identity provider certificate. Choose from three different hash lengths to match whatever your incoming certificate uses:
If you're not sure, use the default. | Required | SHA256 |
Incoming Requests Encrypted | This toggle dictates whether incoming SAML requests will be encrypted by the identity provider. Switch on for higher security. | Toggle | Off |
UserId Attribute | This field holds the Yellowfin user ID (typically a username or an email field, depending on your system configuration). | Required | None |
Client Reference Id Attribute | This parameter provides the location of the Client Reference Id of the client org that the user belongs to. Normally, this is either left blank or set to ‘1’ for Yellowfin instances that have no related client orgs. | Not required | None |
SSO Entry Options Attribute | This parameter takes the SAML attribute that holds comma-separated web service session parameter values to be passed to the session created by the SAML SSO process. Leave blank to direct the user to their default entry page. See the Customize Data with CustomParameters and Parameters section for more details and an example. | Not required | None |
Custom Session Parameter Attribute | This parameter allows options that can be passed via the Parameters option on an SSO web service call to be passed to the session created by the SAML SSO process. This is attribute-based and can apply to individual users. | Not required | None |
Onboard New Users | Enabling this toggle will allow SAML to provision new users automatically. If you don’t wish to provision new users, do not enable the toggle. | Not required | Off |
This page does not cover how to set up an identity provider, as there are many providers, each with different configuration processes. The page covers the basics that you will need to implement SAML for your Yellowfin users.
...