SAML Service Provider Configuration
The Yellowfin SAML Bridge uses the OneLogin Java API to interface with SAML Identity Providers (IDP). The configuration for the SAML SP is done within the WEB-INF/classes/onelogin.saml.properties file.
The following properties need to be set to configure the Service Provider (The Yellowfin SAML Bridge). There are inline comments with the properties file that give more information about each option.
Consider this scenario. You access Yellowfin via http://yellowfin:8080. You have SAML Bridge being installed in yellowfin/appserver/webapps/samlbridge folder. Your AD FS has adfs.local name.
Property | Description |
---|---|
onelogin.saml2.sp.entityid | The entityId of the SAML Bridge SP. This will be the metadata URL for SAML Bridge. The URL is of the form: <scheme>://<host>:<port>/<context>/metadata.jsp. metadata.jsp is located under ‘samlbridge’ folder. This can be used to register SAML Bridge SP in AD FS. For instance, http://yellowfin:8080/samlbridge/metadata.jsp Note: Ensure that this URL is accessible from AD FS. |
onelogin.saml2.sp.assertion_consumer_service.url | This is the URL that handles a successful authentication. Yellowfin does it via samlbridge/acs.jsp. For instance, http:// yellowfin:8080/samlbridge/acs.jsp Note: The SP entityid must be registered with the AD FS to allow users access to this service. How to register see Registering Yellowfin SAML Bridge Identity Provider in AD FS chapter of this guide. |
onelogin.saml2.sp.single_logout_service.url | This is the URL that handles a logoff. samlbridge/sls.jsp file handles this. For instance, http:// yellowfin:8080/samlbridge/sls.jsp |
onelogin.saml2.sp.x509cert | This is the text representation of a security certificate. A self-signed certificate can be generated with: The text representation of the sp.crt from the above command is required for this option. |
onelogin.saml2.sp.privatekey | This is the text representation of the certificates private key. This is the text representation of the sp.pem file that was created by the self-signed certificate process above. |
onelogin.saml2.sp.nameidformat | This is required by OneLogin SAML, should correspond to AD FS Name ID format. Can be one of: NAMEID_EMAIL_ADDRESS = 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'; NAMEID_X509_SUBJECT_NAME = 'urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName'; NAMEID_WINDOWS_DOMAIN_QUALIFIED_NAME = 'urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName'; NAMEID_UNSPECIFIED = 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified'; NAMEID_KERBEROS = 'urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos'; NAMEID_ENTITY = 'urn:oasis:names:tc:SAML:2.0:nameid-format:entity'; NAMEID_TRANSIENT = 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'; NAMEID_PERSISTENT = 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'; NAMEID_ENCRYPTED = 'urn:oasis:names:tc:SAML:2.0:nameid-format:encrypted'; Note: Any changes made to the onelogin.saml.properties file will require the Yellowfin SAML Bridge to be restarted for new settings to take effect. |
SAML Identity Provider (IDP) Configuration
The Yellowfin SAML Bridge uses the OneLogin Java API to interface with SAML Identity Providers (IDP). The configuration for the SAML IDP is also done within the WEB-INF/classes/onelogin.saml.properties file.
Each SAML Identity Provider will require different options to be filled out in the properties file. Below is listed what AD FS requires.
Property | Description |
---|---|
onelogin.saml2.idp.entityid | https://adfs.local/adfs/ls/IdpInitiatedSignon.aspx?loginToRp=Yellowfin Note. You can find more details in ‘SSO service (IdpInitiatedSignOnPage)’ chapter of this guide. |
onelogin.saml2.idp.single_sign_on_service.url | https://adfs.local/adfs/ls/IdpInitiatedSignon.aspx?loginToRp=Yellowfin Note. Still filled in, however, maybe not required. |
onelogin.saml2.idp.single_logout_service.url | https://adfs.local/adfs/ls?wa=wsignout1.0 |
onelogin.saml2.idp.x509cert | This is required to sign SAML requests before sending them to AD FS. You can find more details in ‘AD FS Public Key’ chapter of this guide. Note. There may be issues with key size. See Troubleshooting – Illegal Key Size chapter. |
Note: Any changes made to the onelogin.saml.properties file will require the Yellowfin SAML Bridge to be restarted for new settings to take effect.