SAML configuration instructions - Dataphin - Alibaba Cloud Documentation Center

This topic provides guidance on configuring the SAML protocol.

Background information

SAML (Security Assertion Markup Language) is an XML-based open standard for exchanging authentication and authorization data across different security domains, such as between an Identity Provider (IDP) and a Service Provider (SP).

Fill in SAML configuration information on the Dataphin side

Generate configuration item dataphin.sso.saml.properties

Note: Begin by completing the SAML Configuration Information Template using the provided SAML metadata. Then, perform Base64 encoding to create the dataphin.sso.saml.properties configuration item.

SAML Configuration Information Template

# dataphin(sp) identifier ID (generated when a new application is created on the saml side)
onelogin.saml2.sp.entityid={generated when a new application is created on the saml side}
# dataphin(sp) callback URL
onelogin.saml2.sp.assertion_consumer_service.url=https://{dataphin address}/sso/saml/ssoCallback
# dataphin(sp) logout URL
onelogin.saml2.sp.single_logout_service.url=https://{dataphin address}/logout.htm
# saml(idp) configuration file URL
onelogin.saml2.idp.entityid=https://sts.windows.net/8ae0e787-99a4-40d8-aeda-bb7023b5e023/
# saml(idp) login URL
onelogin.saml2.idp.single_sign_on_service.url={fill in the Location address of the SingleSignOnService tag in the metadata}
# saml(idp) logout URL
onelogin.saml2.idp.single_logout_service.url={fill in the Location address of the SingleLogoutService tag in the metadata}
# saml(idp) certificate (download from the saml page)
onelogin.saml2.idp.x509cert={x509cert key provided by the original data}
# smal user information parsing key
onelogin.saml2.userInfoKeys={"sourceUserId":"http://schemas.microsoft.com/identity/claims/objectidentifier","displayName":"http://schemas.microsoft.com/identity/claims/displayname","email":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress","mobilePhone":""}

Configuration Item	Description
onelogin.saml2.sp.entityid	This is generated upon creating a new application in the SAML system.
onelogin.saml2.sp.assertion_consumer_service.url	This is the callback URL, formatted as: `https://{dataphin address}/sso/saml/ssoCallback`. Replace {dataphin address} with your Dataphin's deployed address.
onelogin.saml2.sp.single_logout_service.url	This is the logout URL, formatted as: `https://{dataphin address}/logout.htm`. Replace {dataphin address} with your Dataphin's deployed address.
onelogin.saml2.idp.entityid	This unique identifier for the IDP is available in the downloaded IDP metadata.
onelogin.saml2.idp.single_sign_on_service.url	This URL is used for both login and logout on the IDP side and can be found in the IDP metadata.
onelogin.saml2.idp.single_logout_service.url	The logout URL for the IDP is acquired in the same manner as the onelogin.saml2.idp.single_sign_on_service.url.
onelogin.saml2.idp.x509cert	This is the IDP's certificate.
onelogin.saml2.userInfoKeys	This is the SAML user information parsing key. Extract the Uri corresponding to sourceUserId (user unique id), displayName (display name), email, and mobilePhone from the auth:ClaimType tag in the customer's SAML metadata and populate the JSON (omit keys that do not exist). `{ "sourceUserId":"http://schemas.microsoft.com/identity/claims/objectidentifier", "displayName":"http://schemas.microsoft.com/identity/claims/displayname", "email":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "mobilePhone":"" }`

Note

Different customers have different tag. You need to confirm the user unique ID.

Dataphin SSO related configuration items

The following fields in the Dataphin configuration file values.yaml pertain to SAML authentication activation. Provide the subsequent configuration details to the Dataphin operations team.

product:
  dataphin:
    sso:
      provider:
      	# Set to use SAML account and authentication. Use the following identifier
        session: 'com.alibaba.dataphin.sso.provider.saml.session.SamlSessionProvider'
        account: 'com.alibaba.dataphin.sso.provider.saml.account.SamlAccountProvider'
    security:
    	# Set SAML2 protocol configuration
      saml2: {properties: 'Base64 encoded SAML properties file content=='}

Configure as per the example above to enable SAML-based account and authentication features.

Switch authentication system for historical users

Dataphin's userTable maintains a mapping of source_user_id to Dataphin user_id. In Dataphin operations, user_id serves as the user's identity, while source_user_id is used for user information transformation.
When the user logs in to the IDP, carrying the source_user_id to Dataphin, Dataphin will convert the source_user_id to user_id through the userTable, and the user conversion is completed.

Hence, when updating historical users, it is crucial to adjust the source_user_id to ensure seamless integration of new system users with their corresponding Dataphin counterparts.

For instance, if a customer transitions from Alibaba Cloud's login system to Microsoft AD and the Dataphin super administrator is Xiaoming, Xiaoming's Alibaba Cloud ID must be replaced with his Microsoft AD ID.

The mapping table should include at least two columns: fromId and toId, where fromId is the previous IDP's ID, and toId is the new IDP's ID.
Unmodified users will lose access to Dataphin. If they hold specific permissions, such as approval rights, it could impact operations. Therefore, customers must thoroughly verify the correction table to prevent any oversights or errors during the update process.
Username
fromId
toId
Xiaoming
aliyun123
ms_ad_124
SuperAdmin
aliyun666
ms_ad_666

Username	fromId	toId
Xiaoming	aliyun123	ms_ad_124
SuperAdmin	aliyun666	ms_ad_666