Implement Single Sign-On (SSO) via SAML

This applies to: Visual Data Discovery

Symphony Data Discovery supports single sign-on (SSO) using the Security Assertion Markup Language (SAML), a secure, XML-based communication standard for authenticating identities between organizations. SAML eliminates the need for a user to create and maintain multiple authentication credentials (that is, passwords) for different websites. Instead, by leveraging SAML, a user authenticates one time using a secure site (known as the 'Identity Provider' or 'IDP') that then authorizes access to different applications and services that is linked to the user’s account.

Key points to implementing SAML SSO in an organization’s operating environment:

  • Service Providers must subscribe to an IDP service (or implement one internally) and complete a set up process. Since there are many IDPs options, service providers may subscribe to more than one service for the convenience of their users.
  • Users need to complete a registration process to be added to your organization’s secured directory including the selection of authentication methods offered by your organization.
  • New applications and programs (such as Symphony) must be integrated into your organization’s existing security protocols.
  • Authentication approval from the IDP is limited to a single use and there is a time limit for access.

Prepare to Integrate Symphony Data Discovery into Your SAML-Enabled Network

If your organization already has SAML SSO integrated into the operating environment, Symphony can be added to your list of secured applications and programs. Symphony supports the SAML 2.0 security protocol. Symphony provides the following security functionality using SAML: (1) user authentication, (2) group mappings, and (3) account level synchronization of users and groups in Symphony. Your organization’s Security Administrator or IT Manager responsible for network security may need to be involved if the Symphony Administrator does not have account access to your IDP.

Symphony can only support one IDP account. If your organization uses multiple IDP accounts, select one that will connect with Symphony.

Prior to set up, Symphony recommends checking to ensure that Network Time Protocol service is used to synchronize your network with accurate time servers. NTP helps to avoid potential failure by the identity provider to authenticate SAML users.

For more information, see Using the Network Time Protocol.

Symphony’s SAML Settings provide mappings for the Group, Email, Account, Active account, and Full Name attributes that allow the Symphony Administrator to import these settings directly into Symphony’s Users and Groups administrative function.

Symphony also supports an SSL connection to SAML. In order to setup using secured SAML, a keystore needs to be generated and saved in the Symphony SAML configuration page. The SSL Certificate needs to be uploaded into the keystore file so that Symphony can validate the SSL connection. See Configure Symphony to Support SAML for the setup instructions.

The organization’s IDP account needs to be imported into Symphony as a Service Provider. This entails importing the IDP’s metadata file when configuring SAML in Symphony. After completing all configuration steps, you need to generate Symphony’s metadata file so that it can be added to your IDP’s account. Again, if your organization has a dedicated security administrator, contact them to assist in this setup procedure.

Symphony supplies two default users you can use to log into Symphony: admin and supervisor. You must log in as the supervisor to access the SAML configuration page. See Supplied User .

Keep in mind the following SAML requirements that Symphony supports:

  • IDP account should support SAML 2.0: Your organization’s IDP needs to support SAML 2.0 in order to successfully add Symphony.
  • Default Account section: users can be auto-provisioned to a specific account.
  • Importing users and groups from the IDP into Symphony: there are two scenarios to consider for importing users and groups:
    • If the user or group profile does not already exist in Symphony, they are created the first time that a user logs into Symphony. In this case, the profile contains no access privileges and the Symphony Administrator needs to set up these profiles.
    • If the user or group profile already exist in Symphony, the names must be an exact match in order for the IDP profile information to populate the corresponding Symphony accounts. For example, if the username “johndoe” is stored in the IDP, the exact same username should be in Symphony.

After you have successfully configured and enabled SAML, users and groups imported in this manner can be managed from Symphony’s Users and Groups function. For guidance to import and setup these accounts, see Managing User Definitions .

See Configure Symphony to Support SAML for instructions to setup SAML in Symphony.