Overview: Implementing Single Sign-On via SAML in Zoomdata
Zoomdata supports single sign-on (SSO) using the Security Assertion Markup Language (SAML), a secure, XML-based communication standard for authenticating identities between organizations. SAML eliminates the need for a user to create and maintain multiple authentication credentials (that is, passwords) for different websites. Instead, by leveraging SAML, a user authenticates one time using a secure site (known as the 'Identity Provider' or 'IdP') that then authorizes access to different applications and services that is linked to the user’s account.
Key points to implementing SAML SSO in an organization’s operating environment:
- Service Providers must subscribe to an IdP’s service (or implement one internally) and complete a set up process. Since there are many IdPs options, SPs may subscribe to more than one service for the convenience of their users.
- Users need to complete a registration process to be added to your organization’s secured directory including the selection of authentication methods offered by your organization.
- New applications and programs (such as Zoomdata) must be integrated into your organization’s existing security protocols.
- Authentication approval from the IdP is limited to a single use and there is a time limit for access.
Preparing to Integrate Zoomdata into Your SAML-enabled Network
If your organization already has SAML SSO integrated into the operating environment, Zoomdata can be added to your list of secured applications and programs. Zoomdata supports the SAML 2.0 security protocol. Zoomdata provides the following security functionalities using SAML: (1) user authentication, (2) group mappings, and (3) account level synchronization of users and groups in Zoomdata. Your organization’s Security Administrator or IT Manager responsible for network security may need to be involved if the Zoomdata Administrator does not have account access to your IdP.
Prior to set up, Zoomdata recommends checking to ensure that Network Time Protocol service is used to synchronize your network with accurate time servers. NTP helps to avoid potential failure by the identity provider to authenticate SAML users.
Zoomdata’s SAML Settings provide mappings for the Group, Email, Account, Active account, and Full Name attributes that allow the Zoomdata Administrator to import these settings directly into Zoomdata’s Users and Groups administrative function.
Zoomdata also supports an SSL connection to SAML. In order to setup using secured SAML, a keystore needs to be generated and saved in the Zoomdata SAML configuration page. The SSL Certificate needs to be uploaded into the keystore file so that Zoomdata can validate the SSL connection. See Configuring Zoomdata to Support SAML for the setup instructions.
The organization’s IdP account needs to be imported into Zoomdata as a Service Provider. This entails importing the IdP’s metadata file when configuring SAML in Zoomdata. After completing all configuration steps, you need to generate Zoomdata’s metadata file so that it can be added to your IdP’s account. Again, if your organization has a dedicated security administrator, contact them to assist in this setup procedure.
- Supervisor should only be used when making account level changes to Zoomdata (such as configuring SAML). We recommend that an organization limit the availability of this access level to the administrator(s) that is responsible for managing the Zoomdata account. This account credential will be provided directly to the Zoomdata account manager in your organization.
- Administrator is the default login role to access Zoomdata. Login using this credential is all that is needed to set up Users and Groups and account preferences to prepare Zoomdata for use by all levels of users in an organization.
For more information, see Roles in Zoomdata .
Keep in mind the following SAML requirements that Zoomdata supports:
- IdP account should support SAML 2.0: Your organization’s IdP need to support SAML 2.0 in order to successfully add Zoomdata.
- Default Account section: users can be auto-provisioned to a specific account.
Importing users and groups from the IdP into Zoomdata: there are two scenarios to consider for importing users and groups:
- If the user or group profile does not already exist in Zoomdata, they are created the first time that a user logs into Zoomdata. In this case, the profile contains no access privileges and the Zoomdata Administrator needs to set up these profiles.
- If the user or group profile already exist in Zoomdata, the names must be an exact match in order for the IdP profile information to populate the corresponding Zoomdata accounts. For example, if the username “johndoe” is stored in the IdP, the exact same username should be in Zoomdata.
Once you have successfully configured and enabled SAML, users and groups imported in this manner can be managed from Zoomdata’s Users and Groups function. For guidance to import and setup these accounts, see Users and Groups .