AzureAD/SAML Authentication in DataMiner Cluster

Solved1.02K viewsauthentication AzureAD SAML
6
0 Comments

We’re trying to configure multiple DMAs in a cluster for AzureAD/SAML authentication.

The documentation states that in the AzureAD Enterprise App, following fields need to be configrued:

  • Entity ID to the IP address or DNS name specified in the spMetadata.xml file
  • Under Reply URL, specify the following URLs, replacing dataminer.example.com with the IP address or DNS name in the spMetadata.xml file (note the trailing “/”):
    • https://dataminer.example.com/root/
    • https://dataminer.example.com/ticketing/
    • https://dataminer.example.com/jobs/
    • https://dataminer.example.com/monitoring/
    • https://dataminer.example.com/dashboard/
    • https://dataminer.example.com/login/
    • https://dataminer.example.com/
  • Set Sign on URL to the IP address or DNS name specified in the spMetadata.xml file, for example https://dataminer.example.com/.

This is clear for a single DMA, but how should those fields be configured in case of a cluster, as they seem DMA-specific?

  • Should we list the URLs of all DMAs under Reply URL?
  • Should we configure all DMA names under Entity ID?
  • Sign on URL in AzureAD only allows a single value. How should that one be configured?

Also, can we use a single AzureAD Enterprise App for authentication with multiple clusters (eg Staging and Production)?

Thanks!

Marieke Goethals [SLC] [DevOps Catalyst] Selected answer as best 7th July 2023

1 Answer

7
8.29K 2 Comments

Hi Ruben,

Here are my answers to your questions:

  • Should we list the URLs of all DMAs under Reply URL?
    Yes, all possible URLs must be specified in the Reply URLs or Redirect URIs. If there are multiple DMAs accessible via different URLs (or just one DMA accessible via different URLs), you need to specify all of them. If you forget a URL, you will get an error when trying to use such an “unknown” URL.
  • Should we configure all DMA names under Entity ID?
    No, you can choose one URL or IP as Entity ID. Each DMA specifies this same Entity ID in his SPMetadata.xml file (even though his DMA is potentially only reachable via another URL).
  • Sign on URL in AzureAD only allows a single value. How should that one be configured?
    You can just choose the most commonly used URL in there.

Creating one or more apps? You can indeed use one app for different clusters. Then you just need to add all the URLs to one app. Personally I’m more in favor of creating different apps because you can potentially configure security on the app as well, and the security might be different between different systems… Therefore I’m leaning towards separate apps for separate clusters.

PS: We are currently making a unified login, this means that in one of the upcoming versions, you’ll only need one URL for a DMA which will be used for all apps, including low-code apps, which is currently not supported with SAML.

Bert

Marieke Goethals [SLC] [DevOps Catalyst] Selected answer as best 7th July 2023
Ruben Vandepitte [SLC] [DevOps Advocate] commented

Thanks Bert, clarifies a lot, just a few remarks:

Entity ID: The way I understand, this is just a unique identifier on AzureAD side, and doesn’t necessarily have to be a DataMiner IP or URL? In that case, I wonder if it doesn’t make more sense – and is less confusing – to just use a string like ‘dataminer-saml’, or similar… ?

Sign On URL: Is this field actually mandatory? We tested with leaving it blank on a single DMA, and still seemed to work fine. In case of using the AzureAD App for multiple clusters, what would be the purpose of filling in a URL of an agent that is not part of that cluster?

Thanks!
Bert Vandenberghe [SLC] [DevOps Enabler] commented

Entity ID: indeed, this just needs to uniquely identify your app, so you can indeed specify something else than a URL. This is the explanation in Azure on Entity ID:
“Identifier (Entity ID)
The unique ID that identifies your application to Azure Active Directory. This value must be unique across all applications in your Azure Active Directory tenant. The default identifier will be the audience of the SAML response for IDP-initiated SSO.”

Sign On URL is indeed optional, so I believe you can indeed leave this blank and it will still work. Here is the info from Azure on Sign On URL:
“Sign on URL (Optional)
Sign on URL is used if you would like to perform service provider-initiated single sign-on. This value is the sign-in page URL for your application. This field is unnecessary if you want to perform identity provider-initiated single sign-on.”