How to Configure SAML SSO Authentication for a Hosted Environment
Overview
This guide outlines configuring single sign-on (SSO) authentication using a Security Assertion Markup Language (SAML) for an installation hosted on kinops.
For assistance with configuring SAML SSO support in a customer-managed environment, see How to Configure SAML SSO Authentication for a Customer-Managed Environment.
Process
To enable SSO using SAML, create a file named "security.space-slug.properties" using the template below and update the example values to meet your organization's specifications.
The following code is only an example of the security.space-slug.properties file and must be edited for your Space. If you need assistance configuring this file, contact Kinetic Support with your SAML resource available for assistance.
## Define the SAML attributes to map to email and display name.
security.saml.attributes.email=email
#security.saml.attributes.displayName=FullName
#security.saml.mappings.userAttribute.0.regexMatch=
#security.saml.mappings.userAttribute.0.regexReplace=
#security.saml.mappings.userAttribute.1.name=Office Location
#security.saml.mappings.userAttribute.1.mapping=Office Location
#security.saml.mappings.userAttribute.1.regexMatch=
#security.saml.mappings.userAttribute.1.regexReplace=
#security.saml.mappings.userAttribute.3.name=Site Location
#security.saml.mappings.userAttribute.3.mapping=Site Location
## SAML Service Provider Configuration
## Specify the base URL for the SAML service provider. This must be formatted like this:
## http[s]://hostname[:port]/context/[spaceSlug]/app
## The context will usually be "kinetic". Note that /app does not end in a trailing slash.
## Required: This is required for SAML to effectively build the automated metadata.
## The SP metadata URL is the URL specified plus: /saml/metadata/alias/space-slug
## Example SP Metadata URL: http://localhost:8080/kinetic/acme/app/saml/metadata/alias/acme
## This URL needs to be shared with the IdP.
security.saml.sp.url=https://saml-testing.kinops.io/app
## Specify a custom entity ID for this service provider.
## Optional. The default value is generated as "com:kineticdata:core:SPACESLUG:sp"
security.saml.sp.entityid=https://saml-testing.kinops.io/
## Advanced Service Provider settings:
## Profile used for verification of SSL/TLS connections.
## Values: "pkix" or "metaiop".
## Optional. Default "pkix"
#security.saml.sp.sslsecurityprofile=pkix
## The key used to sign interactions with the SP. This key must be in the keystore and it must
## contain both the public and private key.
#security.saml.sp.signingkey=defaultkey
## The key used to encrypt interactions with the SP. This key must be in the keystore and it must
## contain both the public and private key.
#security.saml.sp.encryptionkey=defaultkey
## Specify the keys for active IDPs.
security.saml.providers=ssocircle
## Example URL-based metadata.
## NB: You must ensure that the SSL certificate or trust certificate is in the global keystore.
security.saml.idp.ssocircle.name=SSO Circle
security.saml.idp.ssocircle.type=url
security.saml.idp.ssocircle.url=https://idp.ssocircle.com/meta-idp.xml
Updated 5 months ago