Secure Login Access

Important

If you are performing an Incorta version upgrade, please refer to the corresponding upgrade guide. Instructions for SSO upgrade configurations can vary based on your current Incorta version and the target upgrade version.

You can secure login access by configuring:

  • SSO (details on this page).
  • Auth0 (Incorta provides support for Auth0 SDKs).
  • Incorta self-sync.

SSO enables users to log in to different applications with only one username and one password through the organization's SSO portal. The Incorta Direct Data Platform supports SAML2-based logins for SSO, including:

Configure SSO for Incorta

You can configure SSO for Incorta. All SSO configurations (regardless of which you use) follow the same basic steps:

  1. Configure the SSO Provider.
  2. Enable SSO for a tenant, see Enable SSO for a Tenant.
  3. Create a Configuration file, see Create a Configuration file.
  4. Modify the server.xml file. See Modify server.xml.
  5. Restart Incorta by running the commands ./stop.sh and ./start.sh.

Configure SSO using CMC

Incorta enables you to configure your SSO provider using the CMC. Apply the following steps to configure the SSO:

  1. Open the CMC and login.
  2. Select Clusters > cluster-name > Tenants > tenant-name.
  3. Select Configure.
  4. Select panel, choose Security.
  5. Configure the following properties to start using your SSO:
PropertyDescription
Authentication TypeSelect the authentication type that you will use for the chosen tenant. In this case, it will be SSO.
Provider TypeSelect the SSO provider you are going to use. Current available values:

  ●  SAML2
  ●  Okta
  ●  Auth0
  ●  Custom
Provider nameThis property is only available when you choose Custom as a provider type. Enter the SSO provider name that you are using.
Provider configurationsEnter the properties or XML configurations for the SSO provider you have selected. You can get these configurations from the configurations file for each SSO.
Note

You must apply the upcoming steps whether you are configuring your SSO for the first time or upgrading your Incorta cluster.

  1. From the Clusters tab, select cluster-name > Cluster Configurations > Default Tenant Configurations.
  2. From the left pane, select Email.
  3. Configure the Server URL Protocol, Server Name, and Server Port.

If you are configuring the SSO for the first time, you must restart Incorta services.

Note

If you are just updating the settings for the SSO you are already using, you do not need to restart Incorta services.

Enable SSO for a Tenant

From the Tenant Management Tool (TMT), enter the following command: ./tmt.sh -clnm <CLUSTER_NAME> --update-property <tenantname> sso-login-enable true

Create a Configuration file

Create a configuration file named ssoDemoConf.properties in the following directory: /home/incorta/IncortaAnalytics/sso/. A sample configuration file is pasted later under Configuration File.

Change the following properties for ADFS, IBM CIS, and OneLogin. For Directory Services, see Directory Services, for Okta, see Okta, for LDAP, see LDAP and mobile SSO, see Mobile SSO:

ADFS

  • onelogin.saml2.sp.entityid: The value of Identity (Entity ID) you configured in ADFS.
  • onelogin.saml2.sp.assertion_consumer_service.url: The value of Reply URL in ADFS. Use this format: https://<incorta-server>/incorta/!<tenant-name>/.
  • onelogin.saml2.sp.single_logout_service.url: Your Incorta URL plus a logout redirect, For example, http:///<incortaHostName>/incorta/logout.jsp?rediredtUrl=.
  • onelogin.saml2.idp.entityid: The value of the entityID attribute in your ADFS metadata .xml file.
  • onelogin.saml2.idp.single_sign_on_service.url: The value of the Location attribute in the SingleSignOnService tag in ADFS metadata .xml file.
  • onelogin.saml2.idp.single_logout_service.url: https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0
  • onelogin.saml2.idp.x509cert: The value of the X509Certificate in ADFS metadata .xml file.

IBM CIS

  • onelogin.saml2.sp.entityid: The value of Provider ID you configured in IBM CIS.
  • onelogin.saml2.sp.assertion_consumer_service.url: the value of Assertion Consumer Service URL (ACS) in CIS. Use this format: https://<incorta-server>/incorta/!<tenant-name>/.
  • onelogin.saml2.sp.single_logout_service.url: Your Incorta URL plus a logout redirect, For example, http:///<incortaHostName>/incorta/logout.jsp?rediredtUrl=.
  • onelogin.saml2.idp.entityid: The value of the entityID attribute in your IBM CIS metadata .xml file.
  • onelogin.saml2.idp.single_sign_on_service.url: The value of the entityID attribute in your IBM CIS metadata .xml file.
  • onelogin.saml2.idp.single_logout_service.url: https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0
  • onelogin.saml2.idp.x509cert: The value of the X509Certificate in IBM CIS metadata .xml file.

OneLogin

Make the following changes in the onelogin-conf-samele.properties file and rename it to ssoDemoConf.properties:

  • onelogin.saml2.idp.entityid: The value of the entityID in the EntityDescriptor tag in the SAML metadata file.
  • onelogin.saml2.idp.single_sign_on_service.url: The value of the Location attribute in the SingleSignOnService tag in the SAML metadata file.
  • onelogin.saml2.idp.single_logout_service.url: https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0
  • onelogin.saml2.idp.x509cert: The value of the X509Certificate in the SAML metadata file.

Configuration file

------ Beginning of the File --------
# If 'strict' is True, then the Java Toolkit will reject unsigned
# or unencrypted messages if it expects them signed or encrypted
# Also will reject the messages if not strictly follow the SAML
onelogin.saml2.strict = false
# Enable debug mode (to print errors)
onelogin.saml2.debug = true
# Service Provider Data that we are deploying
#v
# Identifier of the SP entity (must be a URI)
onelogin.saml2.sp.entityid = https://localhost:8443/incorta
# Specifies info about where and how the <AuthnResponse> message MUST be
# returned to the requester, in this case our SP.
# URL Location where the <Response> from the IdP will be returned
#onelogin.saml2.sp.assertion_consumer_service.url = http://localhost:8080/java-saml-tookit-jspsample/acs.jsp
onelogin.saml2.sp.assertion_consumer_service.url = https://localhost:8443/incorta/!demo/
# SAML protocol binding to be used when returning the <Response>
# message. Onelogin Toolkit supports for this endpoint the
# HTTP-POST binding only
onelogin.saml2.sp.assertion_consumer_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
# Specifies info about where and how the <Logout Response> message MUST be
# returned to the requester, in this case our SP.
onelogin.saml2.sp.single_logout_service.url = https://localhost:8443/incorta/logout.jsp?rediredtUrl=.
# SAML protocol binding to be used when returning the <LogoutResponse> or sending the <LogoutRequest>
# message. Onelogin Toolkit supports for this endpoint the
# HTTP-Redirect binding only
onelogin.saml2.sp.single_logout_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
# Specifies constraints on the name identifier to be used to
# represent the requested subject.
# Take a look on lib/Saml2/Constants.php to see the NameIdFormat supported
#onelogin.saml2.sp.nameidformat = urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
# Usually x509cert and privateKey of the SP are provided by files placed at
# the certs folder. But we can also provide them with the following parameters
onelogin.saml2.sp.x509cert =
# Requires Format PKCS#8 BEGIN PRIVATE KEY
# If you have PKCS#1 BEGIN RSA PRIVATE KEY convert it by openssl pkcs8 -topk8 -inform pem -nocrypt -in sp.rsa_key -outform pem -out sp.pem
onelogin.saml2.sp.privatekey =
# Identity Provider Data that we want connect with our SP
#
# Identifier of the IdP entity (must be a URI)
onelogin.saml2.idp.entityid =https://sts.windows.net/e1641373-1717-4ca1-aac0-c1fafd043b16/
# SSO endpoint info of the IdP. (Authentication Request protocol)
# URL Target of the IdP where the SP will send the Authentication Request Message
onelogin.saml2.idp.single_sign_on_service.url = https://login.microsoftonline.com/e1641373-1717-4ca1-aac0-c1fafd043b16/saml2
onelogin.saml2.security.want_nameid = false
# SAML protocol binding to be used when returning the <Response>
# message. Onelogin Toolkit supports for this endpoint the
# HTTP-Redirect binding only
onelogin.saml2.idp.single_sign_on_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
#if the above did not work try the below
#onelogin.saml2.idp.single_sign_on_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
# SLO endpoint info of the IdP.
# URL Location of the IdP where the SP will send the SLO Request
#onelogin.saml2.idp.single_logout_service.url = https://incorta-dev.onelogin.com/trust/saml2/http-redirect/slo/610260
onelogin.saml2.idp.single_logout_service.url = https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0
# https://login.microsoftonline.com/e1641373-1717-4ca1-aac0-c1fafd043b16/saml2
# Optional SLO Response endpoint info of the IdP.
# URL Location of the IdP where the SP will send the SLO Response. If left blank, same URL as onelogin.saml2.idp.single_logout_service.url will be used.
# Some IdPs use a separate URL for sending a logout request and response, use this property to set the separate response url
onelogin.saml2.idp.single_logout_service.response.url =
# SAML protocol binding to be used when returning the <Response>
# message. Onelogin Toolkit supports for this endpoint the
# HTTP-Redirect binding only
onelogin.saml2.idp.single_logout_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
# Public x509 certificate of the IdP
onelogin.saml2.idp.x509cert =MIIC8DCCAdigAwIBAgIQIA1O3lGDAIhNUwrVs/bxpDANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0xODA2MDgxMjE4MDRaFw0yMTA2MDgxMjE4MDRaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr+KzyudnWjCkSlWcQIoGST4OVBAOQD0wHy+wI3t3Qmir7km/NyBXZFaXC9aK12XU+4Lziyjbvf+c2l+giSww+Rz7O+BJ+oopxV19n84QTCatV9gmdsDO21k6/x4Xmu/xTYD45OCRrJItQr+1zvk4F5P/0/lwbcjhhP4ylDf6gRcO9BIKrmQRgQA2hjI0b+RLgmxylMd8c9bHwknElnsgOlsVdOn1xaUd4b3tkQREVPvmLgj2/O0qBP/rOzdzo36Jo87Xx4Y3zgFWDO21ClzwXDmdd5ifVnM1aGWF7SYRYhVOZ805Ovzaia/JO8fuhF2sKruqzlQrP4PjJggP29kA9wIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCRzAa/bfRRiCgQgY+Z7J7Hhj0epQallchQuZ2dAVghrCoyCceb0D/e3sBm5nXQrj817nP53iLlMQZdcM64f0mm8u9nqN5q6PR6d0RwJOSQcT+UwmtMdOrxpfuEHqnP8HfOSxXDo7/H1beVxutqbTGGzZkr+TM52uMw2WkkAMaooP9fvm+HlI4d8MylX1DMCEtv6IBOLC2HMr6+eL2nGrcwvMZUHdX0MVlDdEf3wqNoDsRkfgJu8K+L88RThXUa4sSa0pJcdIbnI4cr2AtsHSHhI/iIQHrqW/3tn1dP6IbEF29AB1WkWvlChjo0tOvKldyloXUUBNVSwxMSkAUXUw6b
# Instead of use the whole x509cert you can use a fingerprint
# (openssl x509 -noout -fingerprint -in "idp.crt" to generate it,
# or add for example the -sha256 , -sha384 or -sha512 parameter)
#
# If a fingerprint is provided, then the certFingerprintAlgorithm is required in order to
# let the toolkit know which Algorithm was used. Possible values: sha1, sha256, sha384 or sha512
# 'sha1' is the default value.
# onelogin.saml2.idp.certfingerprint =
# onelogin.saml2.idp.certfingerprint_algorithm = sha1
# Security settings
#
# Indicates that the nameID of the <samlp:logoutRequest> sent by this SP
# will be encrypted.
onelogin.saml2.security.nameid_encrypted = false
# Indicates whether the <samlp:AuthnRequest> messages sent by this SP
# will be signed. [The Metadata of the SP will offer this info]
onelogin.saml2.security.authnrequest_signed = false
# Indicates whether the <samlp:logoutRequest> messages sent by this SP
# will be signed.
onelogin.saml2.security.logoutrequest_signed = false
# Indicates whether the <samlp:logoutResponse> messages sent by this SP
# will be signed.
onelogin.saml2.security.logoutresponse_signed = false
# Sign the Metadata
# Empty means no signature, or comma separate the keyFileName and the certFileName
onelogin.saml2.security.want_messages_signed =
# Indicates a requirement for the <samlp:Response>, <samlp:LogoutRequest> and
# <samlp:LogoutResponse> elements received by this SP to be signed.
onelogin.saml2.security.want_assertions_signed = false
# Indicates a requirement for the Metadata of this SP to be signed.
# Right now supported null (in order to not sign) or true (sign using SP private key)
onelogin.saml2.security.sign_metadata = false
# Indicates a requirement for the Assertions received by this SP to be encrypted
onelogin.saml2.security.want_assertions_encrypted = false
# Indicates a requirement for the NameID received by this SP to be encrypted
onelogin.saml2.security.want_nameid_encrypted = false
# Authentication context.
# Set Empty and no AuthContext will be sent in the AuthNRequest,
# Set comma separated values urn:oasis:names:tc:SAML:2.0:ac:classes:urn:oasis:names:tc:SAML:2.0:ac:classes:Password
#onelogin.saml2.security.requested_authncontext = urn:oasis:names:tc:SAML:2.0:ac:classes:urn:oasis:names:tc:SAML:2.0:ac:classes:Password
#onelogin.saml2.security.requested_authncontext = urn:oasis:names:tc:SAML:2.0:ac:classes:urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified,urn:oasis:names:tc:SAML:2.0:ac:classes:urn:oasis:names:tc:SAML:2.0:ac:classes:Password,urn:oasis:names:tc:SAML:2.0:ac:classes:urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport,urn:oasis:names:tc:SAML:2.0:ac:classes:urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient,urn:oasis:names:tc:SAML:2.0:ac:classes:urn:oasis:names:tc:SAML:2.0:ac:classes:X509,urn:oasis:names:tc:SAML:2.0:ac:classes:urn:federation:authentication:windows,urn:oasis:names:tc:SAML:2.0:ac:classes:urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos
#onelogin.saml2.security.requested_authncontext = urn:oasis:names:tc:SAML:2.0:ac:classes:urn:oasis:names:tc:SAML:2.0:ac:classes:Password,urn:oasis:names:tc:SAML:2.0:ac:classes:urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport,urn:oasis:names:tc:SAML:2.0:ac:classes:urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient,urn:oasis:names:tc:SAML:2.0:ac:classes:urn:oasis:names:tc:SAML:2.0:ac:classes:X509,urn:oasis:names:tc:SAML:2.0:ac:classes:urn:federation:authentication:windows,urn:oasis:names:tc:SAML:2.0:ac:classes:urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos
onelogin.saml2.security.requested_authncontext = urn:oasis:names:tc:SAML:2.0:ac:classes:Password
# Allows the authn comparison parameter to be set, defaults to 'exact'
#onelogin.saml2.security.requested_authncontextcomparison = exact
onelogin.saml2.security.requested_authncontextcomparison = exact
# Indicates if the SP will validate all received xmls.
# (In order to validate the xml, 'strict' and 'wantXMLValidation' must be true).
onelogin.saml2.security.want_xml_validation = true
# Algorithm that the toolkit will use on signing process. Options:
# 'http://www.w3.org/2000/09/xmldsig#rsa-sha1'
# 'http://www.w3.org/2000/09/xmldsig#dsa-sha1'
# 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
# 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384'
# 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512'
onelogin.saml2.security.signature_algorithm = http://www.w3.org/2000/09/xmldsig#rsa-sha1
# Organization
onelogin.saml2.organization.name = SP Java
onelogin.saml2.organization.displayname = SP Java Example
onelogin.saml2.organization.url = http://sp.example.com
# Contacts
onelogin.saml2.contacts.technical.given_name = Technical Guy
onelogin.saml2.contacts.technical.email_address = technical@example.com
onelogin.saml2.contacts.support.given_name = Support Guy
onelogin.saml2.contacts.support.email_address = support@@example.com
--------- End of File ------------

Modify server.xml for ADFS, IBM CIS, Okta, OneLogin, and LDAP

Note

This task applies to ADFS, IBM CIS, Okta, OneLogin, and LDAP. For information on how to modify the server.xml file for Directory Services, see Modify server.xml for DS.

Modify the server.xml file located at <incorta home>/server/Conf/server.xml.

Add the following tag right before the<Host> tag:

<Valve className="com.incorta.sso.valves.OneLoginValve"
confFilesMap="Tenant_Name=Absolute_Path,Tenant_Name2=Absolute_Path2"
LoggingEnabled = "true"
/>
  • Tenant_Name: The name of Incorta Tenant.
  • Absolute_Path: The path of the SSO configuration file.
  • LoggingEnabled: This flag turns on the valve logging messages. By default it's false which means the logging is turned off.

Modify server.xml for Directory Services

Note

This task applies to Directory Services. For information on how to modify the server.xml file for ADFS, IBM CIS, Okta, OneLogin, and LDAP, see Modify server.xml.

Modify the server.xml file located at <incorta home>/server/Conf/server.xml.

Add the following tag right before the<Host> tag:

<Valve
className="com.incorta.sso.valves.DSAuth"
appAdminPassword="xxxappAdminPassword"
appId="xxxId"
appIdKey="xxxKey"
logoutURL="[http://ds.incorta.com:8888/dsauth/logout.jsp](https://www.google.com/url?q=http://ds.incorta.com:8888/dsauth/logout.jsp&sa=D&ust=1557438364712000)"
myacinfo="myacinfo"
redirectUrl="[http://ds.incorta.com:8888/dsauth/service/signin](https://www.google.com/url?q=http://ds.incorta.com:8888/dsauth/service/signin&sa=D&ust=1557438364712000)"
userLoginKey="userName"
validateUrl="[http://ds.incorta.com:8888/dsauth/service/validate](https://www.google.com/url?q=http://ds.incorta.com:8888/dsauth/service/validate&sa=D&ust=1557438364713000)"
rv="Tenant1=20,tenant2=30" or rv="30"

Set values for the following keys as:

  • appId: Use with the “validate” function.
  • appIdKey:: Used with the “login” function.
  • appAdminPassword: The password used when creating the application at DS authentication.
  • redirectUrl: SSO Absolute URl at which user will go through the login scenario. This cannot end in /.
  • validateUrl: The URL of validating the cookie with DS Authentication Web’s validate function.
  • userLoginKey: The user parameter which will be used as the loginName at Incorta.
  • myacinfo: The kocki key with DS Auth injects user credentials after user signs in.
  • logoutURL: absolute logout page URL.
  • rv: single tenant. For example, rv = "50". For multiple tenants, provide the rv value for each tenant. For example rv = "tenant1=40,tenant2=50".

To be compatible with development and production environments, remove the rv parameter for server.xml and Incorta sends the value of baseURL.