SAML (Security Assertion Markup Language) is an open standard that allows you to use centralized user management to authenticate your users across multiple web applications - this is known as single sign-on (SSO).
Centralized user management is typically handled via an identity provider (IdP), and each application that you authenticate with is known as a service provider (SP).
Aperture Data Studio has the capability to act as one of those service providers for SAML v2.0.
The steps below will allow you to configure Aperture Data Studio with SAML SSO.
To enable SAML for SSO in Data Studio, go to Settings > Security and under SAML properties check Enabled.
You will then need to configure the following mandatory settings:
Identity provider endpoint URL: The URL at which to authenticate the user.
Certificate fingerprint: The fingerprint of the IdP signing certificate. This can be either formatted or unformatted.
Additionally, the following optional settings can be configured:
Identity provider logout URL: If your IdP supports single logout (SLO), this URL is where the IdP will expect to receive logout requests and responses.
Sign authentication requests: If you would like to sign your authentication requests, you can enable this switch and configure a valid certificate and key file in Data Studio.
Advanced settings:
Name identifier format: This specifies the format requested by Data Studio for the user identifier from the IdP. The user identifier maps the authenticated user to a user in Data Studio (using their username). For example, if users in Data Studio have their email address as their username, the name identifier format should be set to E-mail so that the IdP returns their email as their identifier and they are successfully mapped to their user in Data Studio.
Communication binding: The communication binding is the communication method between Data Studio and the IdP when making an authentication request. This can be set to either HTTP Redirect (default) or HTTP POST.
You can also customize the login button label and login message which are displayed on the login screen.
To configure the IdP, you must provide the following values found in the SAML properties in Data Studio:
Service provider entity ID: An identifier representing this instance of Data Studio as the SP within the IdP. By default, this is set to https://datastudio.experianaperture.io
and does not need to be changed unless you have multiple instances of Data Studio that are all configured for SSO using the same IdP.
Assertion consumer service (ACS) URL: This is where the IdP will redirect to with its authentication response, and should be set to <base Data Studio URL>/saml/auth
.
The IdP will then also require the following configuration steps:
If you set up Data Studio to sign your authentication requests then you will also need to provide the IdP with that same certificate.
If a sign-on URL is required by the IdP then this should be set to the base address of your Data Studio server.
If your IdP supports single logout (SLO), you should specify the single logout endpoint URL of Data Studio so that the logout request is correctly received. This will be <base Data Studio URL>/saml/logout
.
See the troubleshooting section for help with configuration errors.
Before signing into Data Studio via the IdP, users have to have an account set up in Data Studio with a username that matches the name identifier that's returned by the IdP.
To create a new SSO user, you can use Data Studio's super admin account, which will continue to use internal authentication once SAML is enabled. To sign in to this account, navigate to <base Data Studio URL>/samladmin
. From there, use the default super admin password (or your own custom password if it has already been changed) and create new users in the standard way.
Should SAML SSO ever be disabled, all users created while it was enabled will still be able to use internal Data Studio authentication. However, they will require a default password set up for them by an administrator that they can then change after login.
Once SAML SSO has been enabled, the following settings will no longer apply to or be seen by any user apart from the super admin. This is because these settings and policies are now controlled by the IdP.
Users will also no longer have the option to change their password or have their account locked/unlocked, as this will also be controlled within the IdP.
The settings below will still apply to all users:
Once SAML has been enabled for SSO and users matching those in the IdP have been created, they can access Data Studio using the base address as well as any specific URL, e.g.
In addition to the login session timeout determined by the password policy, if there's a session lifetime specified by the IdP, that will be respected.
A warning prompt will be shown when the session is about to expire, suggesting that the user re-authenticates.
To log out of Data Studio, you have two options:
Manual - go to the top menu, click on the user icon and select Switch user. This will terminate the active Data Studio session and redirect you to the IdP. The options you will see will depend on your IdP configuration (e.g. an option to sign in as a different user or sign out of the session entirely).
Automated - Single Logout (SLO) allows you to initiate the logout process simultaneously for all applications where the user has logged in via SSO. If your IdP supports SLO and you initiate logout, all your active Data Studio sessions will be terminated.