Secure Login Access
If you are performing an Incorta version upgrade, please refer to the corresponding upgrade guide. Instructions for SSO upgrade configurations can vary based on your current Incorta version and the target upgrade version.
You can secure login access by configuring:
- SSO (details on this page).
- Auth0 (Incorta provides support for Auth0 SDKs).
- Incorta self-sync.
SSO enables users to log in to different applications with only one username and one password through the organization's SSO portal. The Incorta Direct Data Platform supports SAML2-based logins for SSO, including:
- OneLogin
- Directory Services
- Microsoft Active Directory (ADFS)
- IBM CIS
- Okta
- Mobile SSO
- Others (ask your customer success manager)
Configure SSO for Incorta
You can configure SSO for Incorta. All SSO configurations (regardless of which you use) follow the same basic steps:
- Configure the SSO Provider.
- Enable SSO for a tenant, see Enable SSO for a Tenant.
- Create a Configuration file, see Create a Configuration file.
- Modify the
server.xml
file. See Modifyserver.xml
. - Restart Incorta by running the commands
./stop.sh
and./start.sh
.
Configure SSO using CMC
Incorta enables you to configure your SSO provider using the CMC. Apply the following steps to configure the SSO:
- Open the CMC and login.
- Select Clusters > cluster-name > Tenants > tenant-name.
- Select Configure.
- Select panel, choose Security.
- Configure the following properties to start using your SSO:
Property | Description |
---|---|
Authentication Type | Select the authentication type that you will use for the chosen tenant. In this case, it will be SSO. |
Provider Type | Select the SSO provider you are going to use. Current available values: ● SAML2 ● Okta ● Auth0 ● Custom |
Provider name | This property is only available when you choose Custom as a provider type. Enter the SSO provider name that you are using. |
Provider configurations | Enter the properties or XML configurations for the SSO provider you have selected. You can get these configurations from the configurations file for each SSO. |
You must apply the upcoming steps whether you are configuring your SSO for the first time or upgrading your Incorta cluster.
- From the Clusters tab, select cluster-name > Cluster Configurations > Default Tenant Configurations.
- From the left pane, select Email.
- Configure the Server URL Protocol, Server Name, and Server Port.
If you are configuring the SSO for the first time, you must restart Incorta services.
If you are just updating the settings for the SSO you are already using, you do not need to restart Incorta services.
Enable SSO for a Tenant
From the Tenant Management Tool (TMT), enter the following command: ./tmt.sh -clnm <CLUSTER_NAME> --update-property <tenantname> sso-login-enable true
Create a Configuration file
Create a configuration file named ssoDemoConf.properties
in the following directory: /home/incorta/IncortaAnalytics/sso/
. A sample configuration file is pasted later under Configuration File.
Change the following properties for ADFS, IBM CIS, and OneLogin. For Directory Services, see Directory Services, for Okta, see Okta, for LDAP, see LDAP and mobile SSO, see Mobile SSO:
ADFS
onelogin.saml2.sp.entityid
: The value of Identity (Entity ID) you configured in ADFS.onelogin.saml2.sp.assertion_consumer_service.url
: The value of Reply URL in ADFS. Use this format:https://<incorta-server>/incorta/!<tenant-name>/
.onelogin.saml2.sp.single_logout_service.url
: Your Incorta URL plus a logout redirect, For example,http:///<incortaHostName>/incorta/logout.jsp?rediredtUrl=.
onelogin.saml2.idp.entityid
: The value of theentityID
attribute in your ADFS metadata .xml file.onelogin.saml2.idp.single_sign_on_service.url
: The value of theLocation
attribute in theSingleSignOnService
tag in ADFS metadata .xml file.onelogin.saml2.idp.single_logout_service.url
:https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0
onelogin.saml2.idp.x509cert
: The value of theX509Certificate
in ADFS metadata .xml file.
IBM CIS
onelogin.saml2.sp.entityid
: The value of Provider ID you configured in IBM CIS.onelogin.saml2.sp.assertion_consumer_service.url
: the value of Assertion Consumer Service URL (ACS) in CIS. Use this format:https://<incorta-server>/incorta/!<tenant-name>/
.onelogin.saml2.sp.single_logout_service.url
: Your Incorta URL plus a logout redirect, For example,http:///<incortaHostName>/incorta/logout.jsp?rediredtUrl=.
onelogin.saml2.idp.entityid
: The value of theentityID
attribute in your IBM CIS metadata .xml file.onelogin.saml2.idp.single_sign_on_service.url
: The value of theentityID
attribute in your IBM CIS metadata .xml file.onelogin.saml2.idp.single_logout_service.url
:https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0
onelogin.saml2.idp.x509cert
: The value of theX509Certificate
in IBM CIS metadata .xml file.
OneLogin
Make the following changes in the onelogin-conf-samele.properties
file and rename it to ssoDemoConf.properties
:
onelogin.saml2.idp.entityid
: The value of theentityID
in theEntityDescriptor
tag in the SAML metadata file.onelogin.saml2.idp.single_sign_on_service.url
: The value of theLocation
attribute in theSingleSignOnService
tag in the SAML metadata file.onelogin.saml2.idp.single_logout_service.url
:https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0
onelogin.saml2.idp.x509cert
: The value of theX509Certificate
in the SAML metadata file.
Configuration file
------ Beginning of the File --------# If 'strict' is True, then the Java Toolkit will reject unsigned# or unencrypted messages if it expects them signed or encrypted# Also will reject the messages if not strictly follow the SAMLonelogin.saml2.strict = false# Enable debug mode (to print errors)onelogin.saml2.debug = true# Service Provider Data that we are deploying#v# Identifier of the SP entity (must be a URI)onelogin.saml2.sp.entityid = https://localhost:8443/incorta# Specifies info about where and how the <AuthnResponse> message MUST be# returned to the requester, in this case our SP.# URL Location where the <Response> from the IdP will be returned#onelogin.saml2.sp.assertion_consumer_service.url = http://localhost:8080/java-saml-tookit-jspsample/acs.jsponelogin.saml2.sp.assertion_consumer_service.url = https://localhost:8443/incorta/!demo/# SAML protocol binding to be used when returning the <Response># message. Onelogin Toolkit supports for this endpoint the# HTTP-POST binding onlyonelogin.saml2.sp.assertion_consumer_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect# Specifies info about where and how the <Logout Response> message MUST be# returned to the requester, in this case our SP.onelogin.saml2.sp.single_logout_service.url = https://localhost:8443/incorta/logout.jsp?rediredtUrl=.# SAML protocol binding to be used when returning the <LogoutResponse> or sending the <LogoutRequest># message. Onelogin Toolkit supports for this endpoint the# HTTP-Redirect binding onlyonelogin.saml2.sp.single_logout_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect# Specifies constraints on the name identifier to be used to# represent the requested subject.# Take a look on lib/Saml2/Constants.php to see the NameIdFormat supported#onelogin.saml2.sp.nameidformat = urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified# Usually x509cert and privateKey of the SP are provided by files placed at# the certs folder. But we can also provide them with the following parametersonelogin.saml2.sp.x509cert =# Requires Format PKCS#8 BEGIN PRIVATE KEY# If you have PKCS#1 BEGIN RSA PRIVATE KEY convert it by openssl pkcs8 -topk8 -inform pem -nocrypt -in sp.rsa_key -outform pem -out sp.pemonelogin.saml2.sp.privatekey =# Identity Provider Data that we want connect with our SP## Identifier of the IdP entity (must be a URI)onelogin.saml2.idp.entityid =https://sts.windows.net/e1641373-1717-4ca1-aac0-c1fafd043b16/# SSO endpoint info of the IdP. (Authentication Request protocol)# URL Target of the IdP where the SP will send the Authentication Request Messageonelogin.saml2.idp.single_sign_on_service.url = https://login.microsoftonline.com/e1641373-1717-4ca1-aac0-c1fafd043b16/saml2onelogin.saml2.security.want_nameid = false# SAML protocol binding to be used when returning the <Response># message. Onelogin Toolkit supports for this endpoint the# HTTP-Redirect binding onlyonelogin.saml2.idp.single_sign_on_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect#if the above did not work try the below#onelogin.saml2.idp.single_sign_on_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST# SLO endpoint info of the IdP.# URL Location of the IdP where the SP will send the SLO Request#onelogin.saml2.idp.single_logout_service.url = https://incorta-dev.onelogin.com/trust/saml2/http-redirect/slo/610260onelogin.saml2.idp.single_logout_service.url = https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0# https://login.microsoftonline.com/e1641373-1717-4ca1-aac0-c1fafd043b16/saml2# Optional SLO Response endpoint info of the IdP.# URL Location of the IdP where the SP will send the SLO Response. If left blank, same URL as onelogin.saml2.idp.single_logout_service.url will be used.# Some IdPs use a separate URL for sending a logout request and response, use this property to set the separate response urlonelogin.saml2.idp.single_logout_service.response.url =# SAML protocol binding to be used when returning the <Response># message. Onelogin Toolkit supports for this endpoint the# HTTP-Redirect binding onlyonelogin.saml2.idp.single_logout_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect# Public x509 certificate of the IdPonelogin.saml2.idp.x509cert =MIIC8DCCAdigAwIBAgIQIA1O3lGDAIhNUwrVs/bxpDANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0xODA2MDgxMjE4MDRaFw0yMTA2MDgxMjE4MDRaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr+KzyudnWjCkSlWcQIoGST4OVBAOQD0wHy+wI3t3Qmir7km/NyBXZFaXC9aK12XU+4Lziyjbvf+c2l+giSww+Rz7O+BJ+oopxV19n84QTCatV9gmdsDO21k6/x4Xmu/xTYD45OCRrJItQr+1zvk4F5P/0/lwbcjhhP4ylDf6gRcO9BIKrmQRgQA2hjI0b+RLgmxylMd8c9bHwknElnsgOlsVdOn1xaUd4b3tkQREVPvmLgj2/O0qBP/rOzdzo36Jo87Xx4Y3zgFWDO21ClzwXDmdd5ifVnM1aGWF7SYRYhVOZ805Ovzaia/JO8fuhF2sKruqzlQrP4PjJggP29kA9wIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCRzAa/bfRRiCgQgY+Z7J7Hhj0epQallchQuZ2dAVghrCoyCceb0D/e3sBm5nXQrj817nP53iLlMQZdcM64f0mm8u9nqN5q6PR6d0RwJOSQcT+UwmtMdOrxpfuEHqnP8HfOSxXDo7/H1beVxutqbTGGzZkr+TM52uMw2WkkAMaooP9fvm+HlI4d8MylX1DMCEtv6IBOLC2HMr6+eL2nGrcwvMZUHdX0MVlDdEf3wqNoDsRkfgJu8K+L88RThXUa4sSa0pJcdIbnI4cr2AtsHSHhI/iIQHrqW/3tn1dP6IbEF29AB1WkWvlChjo0tOvKldyloXUUBNVSwxMSkAUXUw6b# Instead of use the whole x509cert you can use a fingerprint# (openssl x509 -noout -fingerprint -in "idp.crt" to generate it,# or add for example the -sha256 , -sha384 or -sha512 parameter)## If a fingerprint is provided, then the certFingerprintAlgorithm is required in order to# let the toolkit know which Algorithm was used. Possible values: sha1, sha256, sha384 or sha512# 'sha1' is the default value.# onelogin.saml2.idp.certfingerprint =# onelogin.saml2.idp.certfingerprint_algorithm = sha1# Security settings## Indicates that the nameID of the <samlp:logoutRequest> sent by this SP# will be encrypted.onelogin.saml2.security.nameid_encrypted = false# Indicates whether the <samlp:AuthnRequest> messages sent by this SP# will be signed. [The Metadata of the SP will offer this info]onelogin.saml2.security.authnrequest_signed = false# Indicates whether the <samlp:logoutRequest> messages sent by this SP# will be signed.onelogin.saml2.security.logoutrequest_signed = false# Indicates whether the <samlp:logoutResponse> messages sent by this SP# will be signed.onelogin.saml2.security.logoutresponse_signed = false# Sign the Metadata# Empty means no signature, or comma separate the keyFileName and the certFileNameonelogin.saml2.security.want_messages_signed =# Indicates a requirement for the <samlp:Response>, <samlp:LogoutRequest> and# <samlp:LogoutResponse> elements received by this SP to be signed.onelogin.saml2.security.want_assertions_signed = false# Indicates a requirement for the Metadata of this SP to be signed.# Right now supported null (in order to not sign) or true (sign using SP private key)onelogin.saml2.security.sign_metadata = false# Indicates a requirement for the Assertions received by this SP to be encryptedonelogin.saml2.security.want_assertions_encrypted = false# Indicates a requirement for the NameID received by this SP to be encryptedonelogin.saml2.security.want_nameid_encrypted = false# Authentication context.# Set Empty and no AuthContext will be sent in the AuthNRequest,# Set comma separated values urn:oasis:names:tc:SAML:2.0:ac:classes:urn:oasis:names:tc:SAML:2.0:ac:classes:Password#onelogin.saml2.security.requested_authncontext = urn:oasis:names:tc:SAML:2.0:ac:classes:urn:oasis:names:tc:SAML:2.0:ac:classes:Password#onelogin.saml2.security.requested_authncontext = urn:oasis:names:tc:SAML:2.0:ac:classes:urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified,urn:oasis:names:tc:SAML:2.0:ac:classes:urn:oasis:names:tc:SAML:2.0:ac:classes:Password,urn:oasis:names:tc:SAML:2.0:ac:classes:urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport,urn:oasis:names:tc:SAML:2.0:ac:classes:urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient,urn:oasis:names:tc:SAML:2.0:ac:classes:urn:oasis:names:tc:SAML:2.0:ac:classes:X509,urn:oasis:names:tc:SAML:2.0:ac:classes:urn:federation:authentication:windows,urn:oasis:names:tc:SAML:2.0:ac:classes:urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos#onelogin.saml2.security.requested_authncontext = urn:oasis:names:tc:SAML:2.0:ac:classes:urn:oasis:names:tc:SAML:2.0:ac:classes:Password,urn:oasis:names:tc:SAML:2.0:ac:classes:urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport,urn:oasis:names:tc:SAML:2.0:ac:classes:urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient,urn:oasis:names:tc:SAML:2.0:ac:classes:urn:oasis:names:tc:SAML:2.0:ac:classes:X509,urn:oasis:names:tc:SAML:2.0:ac:classes:urn:federation:authentication:windows,urn:oasis:names:tc:SAML:2.0:ac:classes:urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberosonelogin.saml2.security.requested_authncontext = urn:oasis:names:tc:SAML:2.0:ac:classes:Password# Allows the authn comparison parameter to be set, defaults to 'exact'#onelogin.saml2.security.requested_authncontextcomparison = exactonelogin.saml2.security.requested_authncontextcomparison = exact# Indicates if the SP will validate all received xmls.# (In order to validate the xml, 'strict' and 'wantXMLValidation' must be true).onelogin.saml2.security.want_xml_validation = true# Algorithm that the toolkit will use on signing process. Options:# 'http://www.w3.org/2000/09/xmldsig#rsa-sha1'# 'http://www.w3.org/2000/09/xmldsig#dsa-sha1'# 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'# 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384'# 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512'onelogin.saml2.security.signature_algorithm = http://www.w3.org/2000/09/xmldsig#rsa-sha1# Organizationonelogin.saml2.organization.name = SP Javaonelogin.saml2.organization.displayname = SP Java Exampleonelogin.saml2.organization.url = http://sp.example.com# Contactsonelogin.saml2.contacts.technical.given_name = Technical Guyonelogin.saml2.contacts.technical.email_address = technical@example.comonelogin.saml2.contacts.support.given_name = Support Guyonelogin.saml2.contacts.support.email_address = support@@example.com--------- End of File ------------
Modify server.xml for ADFS, IBM CIS, Okta, OneLogin, and LDAP
This task applies to ADFS, IBM CIS, Okta, OneLogin, and LDAP. For information on how to modify the server.xml
file for Directory Services, see Modify server.xml for DS.
Modify the server.xml
file located at <incorta home>/server/Conf/server.xml
.
Add the following tag right before the<Host>
tag:
<Valve className="com.incorta.sso.valves.OneLoginValve"confFilesMap="Tenant_Name=Absolute_Path,Tenant_Name2=Absolute_Path2"LoggingEnabled = "true"/>
Tenant_Name
: The name of Incorta Tenant.Absolute_Path
: The path of the SSO configuration file.LoggingEnabled
: This flag turns on the valve logging messages. By default it's false which means the logging is turned off.
Modify server.xml for Directory Services
This task applies to Directory Services. For information on how to modify the server.xml
file for ADFS, IBM CIS, Okta, OneLogin, and LDAP, see Modify server.xml.
Modify the server.xml
file located at <incorta home>/server/Conf/server.xml
.
Add the following tag right before the<Host>
tag:
<ValveclassName="com.incorta.sso.valves.DSAuth"appAdminPassword="xxxappAdminPassword"appId="xxxId"appIdKey="xxxKey"logoutURL="[http://ds.incorta.com:8888/dsauth/logout.jsp](https://www.google.com/url?q=http://ds.incorta.com:8888/dsauth/logout.jsp&sa=D&ust=1557438364712000)"myacinfo="myacinfo"redirectUrl="[http://ds.incorta.com:8888/dsauth/service/signin](https://www.google.com/url?q=http://ds.incorta.com:8888/dsauth/service/signin&sa=D&ust=1557438364712000)"userLoginKey="userName"validateUrl="[http://ds.incorta.com:8888/dsauth/service/validate](https://www.google.com/url?q=http://ds.incorta.com:8888/dsauth/service/validate&sa=D&ust=1557438364713000)"rv="Tenant1=20,tenant2=30" or rv="30"
Set values for the following keys as:
appId
: Use with the “validate” function.appIdKey:
: Used with the “login” function.appAdminPassword
: The password used when creating the application at DS authentication.redirectUrl
: SSO Absolute URl at which user will go through the login scenario. This cannot end in/
.validateUrl
: The URL of validating the cookie with DS Authentication Web’s validate function.userLoginKey
: The user parameter which will be used as the loginName at Incorta.myacinfo
: The kocki key with DS Auth injects user credentials after user signs in.logoutURL
: absolute logout page URL.rv
: single tenant. For example,rv
= "50". For multiple tenants, provide therv
value for each tenant. For examplerv = "tenant1=40,tenant2=50"
.
To be compatible with development and production environments, remove the rv
parameter for server.xml
and Incorta sends the value of baseURL
.