Secure Login Access

You can secure login access by configuring:

  • SSO (details on this page).
  • Auth0 (Incorta provides support for Auth0 SDKs).
  • Incorta self-sync.

SSO enables users to log in to different applications with only one username and one password through the organization’s SSO portal. The Incorta Direct Data Platform supports SAML2-based logins for SSO, including:

Configure SSO for Incorta

You can configure SSO for Incorta. All SSO configurations (regardless of which you use) follow the same basic steps:

  1. Configure the SSO Provider.
  2. Enable SSO for a tenant, see Enable SSO for a Tenant.
  3. Create a Configuration file, see Create a Configuration file.
  4. Modify the server.xml file. See Modify server.xml.
  5. Restart Incorta by running the commands ./stop.sh and ./start.sh.

Enable SSO for a Tenant

From the Tenant Management Tool (TMT), enter the following command: ./tmt.sh --update-property <tenantname> sso-login-enable true

Create a Configuration file

Create a configuration file named ssoDemoConf.properties in the following directory: /home/incorta/IncortaAnalytics/sso/. A sample configuration file is pasted later under Configuration File.

Change the following properties for ADFS, IBM CIS, and OneLogin. For Directory Services, see Directory Services, for Okta, see Okta, for LDAP, see LDAP and mobile SSO, see Mobile SSO:

ADFS

  • onelogin.saml2.sp.entityid: The value of Identity (Entity ID) you configured in ADFS.
  • onelogin.saml2.sp.assertion_consumer_service.url: The value of Reply URL in ADFS. Use this format: https://<incorta-server>/incorta/!<tenant-name>/.
  • onelogin.saml2.sp.single_logout_service.url: Your Incorta URL plus a logout redirect, For example, http:///<incortaHostName>/incorta/logout.jsp?rediredtUrl=.
  • onelogin.saml2.idp.entityid: The value of the entityID attribute in your ADFS metadata .xml file.
  • onelogin.saml2.idp.single_sign_on_service.url: The value of the Location attribute in the SingleSignOnService tag in ADFS metadata .xml file.
  • onelogin.saml2.idp.single_logout_service.url: https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0
  • onelogin.saml2.idp.x509cert: The value of the X509Certificate in ADFS metadata .xml file.

IBM CIS

  • onelogin.saml2.sp.entityid: The value of Provider ID you configured in IBM CIS.
  • onelogin.saml2.sp.assertion_consumer_service.url: the value of Assertion Consumer Service URL (ACS) in CIS. Use this format: https://<incorta-server>/incorta/!<tenant-name>/.
  • onelogin.saml2.sp.single_logout_service.url: Your Incorta URL plus a logout redirect, For example, http:///<incortaHostName>/incorta/logout.jsp?rediredtUrl=.
  • onelogin.saml2.idp.entityid: The value of the entityID attribute in your IBM CIS metadata .xml file.
  • onelogin.saml2.idp.single_sign_on_service.url: The value of the entityID attribute in your IBM CIS metadata .xml file.
  • onelogin.saml2.idp.single_logout_service.url: https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0
  • onelogin.saml2.idp.x509cert: The value of the X509Certificate in IBM CIS metadata .xml file.

OneLogin

Make the following changes in the onelogin-conf-samele.properties file and rename it to ssoDemoConf.properties:

  • onelogin.saml2.idp.entityid: The value of the entityID in the EntityDescriptor tag in the SAML metadata file.
  • onelogin.saml2.idp.single_sign_on_service.url: The value of the Location attribute in the SingleSignOnService tag in the SAML metadata file.
  • onelogin.saml2.idp.single_logout_service.url: https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0
  • onelogin.saml2.idp.x509cert: The value of the X509Certificate in the SAML metadata file.

Configuration file

------ Beginning of the File  --------

# If 'strict' is True, then the Java Toolkit will reject unsigned
# or unencrypted messages if it expects them signed or encrypted
# Also will reject the messages if not strictly follow the SAML
onelogin.saml2.strict = false

# Enable debug mode (to print errors)
onelogin.saml2.debug = true

# Service Provider Data that we are deploying
#v

# Identifier of the SP entity (must be a URI)
onelogin.saml2.sp.entityid = https://localhost:8443/incorta

# Specifies info about where and how the <AuthnResponse> message MUST be
# returned to the requester, in this case our SP.
# URL Location where the <Response> from the IdP will be returned
#onelogin.saml2.sp.assertion_consumer_service.url = http://localhost:8080/java-saml-tookit-jspsample/acs.jsp
onelogin.saml2.sp.assertion_consumer_service.url = https://localhost:8443/incorta/!demo/

# SAML protocol binding to be used when returning the <Response>
# message. Onelogin Toolkit supports for this endpoint the
# HTTP-POST binding only
onelogin.saml2.sp.assertion_consumer_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect

# Specifies info about where and how the <Logout Response> message MUST be
# returned to the requester, in this case our SP.
onelogin.saml2.sp.single_logout_service.url = https://localhost:8443/incorta/logout.jsp?rediredtUrl=.

# SAML protocol binding to be used when returning the <LogoutResponse> or sending the <LogoutRequest>
# message. Onelogin Toolkit supports for this endpoint the
# HTTP-Redirect binding only
onelogin.saml2.sp.single_logout_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect

# Specifies constraints on the name identifier to be used to
# represent the requested subject.
# Take a look on lib/Saml2/Constants.php to see the NameIdFormat supported
#onelogin.saml2.sp.nameidformat = urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

# Usually x509cert and privateKey of the SP are provided by files placed at
# the certs folder. But we can also provide them with the following parameters

onelogin.saml2.sp.x509cert =
# Requires Format PKCS#8 BEGIN PRIVATE KEY
# If you have PKCS#1 BEGIN RSA PRIVATE KEY convert it by openssl pkcs8 -topk8 -inform pem -nocrypt -in sp.rsa_key -outform pem -out sp.pem
onelogin.saml2.sp.privatekey =

# Identity Provider Data that we want connect with our SP
#

# Identifier of the IdP entity (must be a URI)
onelogin.saml2.idp.entityid =https://sts.windows.net/e1641373-1717-4ca1-aac0-c1fafd043b16/

# SSO endpoint info of the IdP. (Authentication Request protocol)
# URL Target of the IdP where the SP will send the Authentication Request Message
onelogin.saml2.idp.single_sign_on_service.url = https://login.microsoftonline.com/e1641373-1717-4ca1-aac0-c1fafd043b16/saml2
onelogin.saml2.security.want_nameid = false
# SAML protocol binding to be used when returning the <Response>
# message. Onelogin Toolkit supports for this endpoint the
# HTTP-Redirect binding only
onelogin.saml2.idp.single_sign_on_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
#if the above did not work try the below
#onelogin.saml2.idp.single_sign_on_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

# SLO endpoint info of the IdP.
# URL Location of the IdP where the SP will send the SLO Request
#onelogin.saml2.idp.single_logout_service.url = https://incorta-dev.onelogin.com/trust/saml2/http-redirect/slo/610260
onelogin.saml2.idp.single_logout_service.url = https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0
# https://login.microsoftonline.com/e1641373-1717-4ca1-aac0-c1fafd043b16/saml2
# Optional SLO Response endpoint info of the IdP.
# URL Location of the IdP where the SP will send the SLO Response. If left blank, same URL as onelogin.saml2.idp.single_logout_service.url will be used.
# Some IdPs use a separate URL for sending a logout request and response, use this property to set the separate response url
onelogin.saml2.idp.single_logout_service.response.url =

# SAML protocol binding to be used when returning the <Response>
# message. Onelogin Toolkit supports for this endpoint the
# HTTP-Redirect binding only
onelogin.saml2.idp.single_logout_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect

# Public x509 certificate of the IdP
onelogin.saml2.idp.x509cert =MIIC8DCCAdigAwIBAgIQIA1O3lGDAIhNUwrVs/bxpDANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0xODA2MDgxMjE4MDRaFw0yMTA2MDgxMjE4MDRaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr+KzyudnWjCkSlWcQIoGST4OVBAOQD0wHy+wI3t3Qmir7km/NyBXZFaXC9aK12XU+4Lziyjbvf+c2l+giSww+Rz7O+BJ+oopxV19n84QTCatV9gmdsDO21k6/x4Xmu/xTYD45OCRrJItQr+1zvk4F5P/0/lwbcjhhP4ylDf6gRcO9BIKrmQRgQA2hjI0b+RLgmxylMd8c9bHwknElnsgOlsVdOn1xaUd4b3tkQREVPvmLgj2/O0qBP/rOzdzo36Jo87Xx4Y3zgFWDO21ClzwXDmdd5ifVnM1aGWF7SYRYhVOZ805Ovzaia/JO8fuhF2sKruqzlQrP4PjJggP29kA9wIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCRzAa/bfRRiCgQgY+Z7J7Hhj0epQallchQuZ2dAVghrCoyCceb0D/e3sBm5nXQrj817nP53iLlMQZdcM64f0mm8u9nqN5q6PR6d0RwJOSQcT+UwmtMdOrxpfuEHqnP8HfOSxXDo7/H1beVxutqbTGGzZkr+TM52uMw2WkkAMaooP9fvm+HlI4d8MylX1DMCEtv6IBOLC2HMr6+eL2nGrcwvMZUHdX0MVlDdEf3wqNoDsRkfgJu8K+L88RThXUa4sSa0pJcdIbnI4cr2AtsHSHhI/iIQHrqW/3tn1dP6IbEF29AB1WkWvlChjo0tOvKldyloXUUBNVSwxMSkAUXUw6b

# Instead of use the whole x509cert you can use a fingerprint
# (openssl x509 -noout -fingerprint -in "idp.crt" to generate it,
# or add for example the -sha256 , -sha384 or -sha512 parameter)
#
# If a fingerprint is provided, then the certFingerprintAlgorithm is required in order to
# let the toolkit know which Algorithm was used. Possible values: sha1, sha256, sha384 or sha512
# 'sha1' is the default value.
# onelogin.saml2.idp.certfingerprint =
# onelogin.saml2.idp.certfingerprint_algorithm = sha1

# Security settings
#
# Indicates that the nameID of the <samlp:logoutRequest> sent by this SP
# will be encrypted.
onelogin.saml2.security.nameid_encrypted = false

# Indicates whether the <samlp:AuthnRequest> messages sent by this SP
# will be signed. [The Metadata of the SP will offer this info]
onelogin.saml2.security.authnrequest_signed = false

# Indicates whether the <samlp:logoutRequest> messages sent by this SP
# will be signed.
onelogin.saml2.security.logoutrequest_signed = false

# Indicates whether the <samlp:logoutResponse> messages sent by this SP
# will be signed.
onelogin.saml2.security.logoutresponse_signed = false

# Sign the Metadata
# Empty means no signature, or comma separate the keyFileName and the certFileName
onelogin.saml2.security.want_messages_signed =

# Indicates a requirement for the <samlp:Response>, <samlp:LogoutRequest> and
# <samlp:LogoutResponse> elements received by this SP to be signed.
onelogin.saml2.security.want_assertions_signed = false

# Indicates a requirement for the Metadata of this SP to be signed.
# Right now supported null (in order to not sign) or true (sign using SP private key)
onelogin.saml2.security.sign_metadata = false

# Indicates a requirement for the Assertions received by this SP to be encrypted
onelogin.saml2.security.want_assertions_encrypted = false

# Indicates a requirement for the NameID received by this SP to be encrypted
onelogin.saml2.security.want_nameid_encrypted = false

# Authentication context.
# Set Empty and no AuthContext will be sent in the AuthNRequest,
# Set comma separated values urn:oasis:names:tc:SAML:2.0:ac:classes:urn:oasis:names:tc:SAML:2.0:ac:classes:Password
#onelogin.saml2.security.requested_authncontext = urn:oasis:names:tc:SAML:2.0:ac:classes:urn:oasis:names:tc:SAML:2.0:ac:classes:Password
#onelogin.saml2.security.requested_authncontext = urn:oasis:names:tc:SAML:2.0:ac:classes:urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified,urn:oasis:names:tc:SAML:2.0:ac:classes:urn:oasis:names:tc:SAML:2.0:ac:classes:Password,urn:oasis:names:tc:SAML:2.0:ac:classes:urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport,urn:oasis:names:tc:SAML:2.0:ac:classes:urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient,urn:oasis:names:tc:SAML:2.0:ac:classes:urn:oasis:names:tc:SAML:2.0:ac:classes:X509,urn:oasis:names:tc:SAML:2.0:ac:classes:urn:federation:authentication:windows,urn:oasis:names:tc:SAML:2.0:ac:classes:urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos
#onelogin.saml2.security.requested_authncontext = urn:oasis:names:tc:SAML:2.0:ac:classes:urn:oasis:names:tc:SAML:2.0:ac:classes:Password,urn:oasis:names:tc:SAML:2.0:ac:classes:urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport,urn:oasis:names:tc:SAML:2.0:ac:classes:urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient,urn:oasis:names:tc:SAML:2.0:ac:classes:urn:oasis:names:tc:SAML:2.0:ac:classes:X509,urn:oasis:names:tc:SAML:2.0:ac:classes:urn:federation:authentication:windows,urn:oasis:names:tc:SAML:2.0:ac:classes:urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos
onelogin.saml2.security.requested_authncontext = urn:oasis:names:tc:SAML:2.0:ac:classes:Password
# Allows the authn comparison parameter to be set, defaults to 'exact'
#onelogin.saml2.security.requested_authncontextcomparison = exact
onelogin.saml2.security.requested_authncontextcomparison = exact

# Indicates if the SP will validate all received xmls.
# (In order to validate the xml, 'strict' and 'wantXMLValidation' must be true).
onelogin.saml2.security.want_xml_validation = true

# Algorithm that the toolkit will use on signing process. Options:
# 'http://www.w3.org/2000/09/xmldsig#rsa-sha1'
# 'http://www.w3.org/2000/09/xmldsig#dsa-sha1'
# 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
# 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384'
# 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512'
onelogin.saml2.security.signature_algorithm = http://www.w3.org/2000/09/xmldsig#rsa-sha1

# Organization
onelogin.saml2.organization.name = SP Java
onelogin.saml2.organization.displayname = SP Java Example
onelogin.saml2.organization.url = http://sp.example.com

# Contacts
onelogin.saml2.contacts.technical.given_name = Technical Guy
onelogin.saml2.contacts.technical.email_address = technical@example.com
onelogin.saml2.contacts.support.given_name = Support Guy
onelogin.saml2.contacts.support.email_address = support@@example.com

       --------- End of File ------------

Modify server.xml for ADFS, IBM CIS, Okta, OneLogin, and LDAP

Note

This task applies to ADFS, IBM CIS, Okta, OneLogin, and LDAP. For information on how to modify the server.xml file for Directory Services, see Modify server.xml for DS.

Modify the server.xml file located at <incorta home>/server/Conf/server.xml.

Add the following tag right before the<Host> tag:

 <Valve className="com.incorta.sso.valves.OneLoginValve"
 confFilesMap="Tenant_Name=Absolute_Path,Tenant_Name2=Absolute_Path2"
 LoggingEnabled = "true"
 />
  • Tenant_Name: The name of Incorta Tenant.
  • Absolute_Path: The path of the SSO configuration file.
  • LoggingEnabled: This flag turns on the valve logging messages. By default it’s false which means the logging is turned off.

Modify server.xml for Directory Services

Note

This task applies to Directory Services. For information on how to modify the server.xml file for ADFS, IBM CIS, Okta, OneLogin, and LDAP, see Modify server.xml.

Modify the server.xml file located at <incorta home>/server/Conf/server.xml.

Add the following tag right before the<Host> tag:

<Valve
className="com.incorta.sso.valves.DSAuth"
appAdminPassword="xxxappAdminPassword"
appId="xxxId"
appIdKey="xxxKey"
logoutURL="[http://ds.incorta.com:8888/dsauth/logout.jsp](https://www.google.com/url?q=http://ds.incorta.com:8888/dsauth/logout.jsp&sa=D&ust=1557438364712000)"
myacinfo="myacinfo"
redirectUrl="[http://ds.incorta.com:8888/dsauth/service/signin](https://www.google.com/url?q=http://ds.incorta.com:8888/dsauth/service/signin&sa=D&ust=1557438364712000)"
userLoginKey="userName"
validateUrl="[http://ds.incorta.com:8888/dsauth/service/validate](https://www.google.com/url?q=http://ds.incorta.com:8888/dsauth/service/validate&sa=D&ust=1557438364713000)"
rv="Tenant1=20,tenant2=30" or rv="30"

Set values for the following keys as:

  • appId: Use with the “validate” function.
  • appIdKey:: Used with the “login” function.
  • appAdminPassword: The password used when creating the application at DS authentication.
  • redirectUrl: SSO Absolute URl at which user will go through the login scenario. This cannot end in /.
  • validateUrl: The URL of validating the cookie with DS Authentication Web’s validate function.
  • userLoginKey: The user parameter which will be used as the loginName at Incorta.
  • myacinfo: The kocki key with DS Auth injects user credentials after user signs in.
  • logoutURL: absolute logout page URL.
  • rv: single tenant. For example, rv = “50”. For multiple tenants, provide the rv value for each tenant. For example rv = "tenant1=40,tenant2=50".

To be compatible with development and production environments, remove the rv parameter for server.xml and Incorta sends the value of baseURL.


© Incorta, Inc. All Rights Reserved.