Authenticating with SAML

For ease of use and greater security, you can use any SAML tool that supports SSO to log in to Databand.

See the following sections for further information about preparing for SAML SSO configuration:

Complete the steps for your identity provider, and then return to the Databand UI to finish configuring SSO.

Authenticating with Microsoft Entra ID

If you use Microsoft Entra ID, you can configure SAML SSO to easily log in to your Databand instance.

To complete the following steps, you must at least have the role of Cloud Application Administrator.

First, you must add an enterprise application in Microsoft Entra ID:

  1. Log in to the Microsoft Entra ID admin center.
  2. In the admin center, go to Identity > Applications > Enterprise applications > All applications > New application.
  3. In the Browse Microsoft Entra Gallery panel, search for Microsoft Entra SAML Toolkit.
  4. Provide a name for your application, for example Databand, then click Create.

Next, see the Microsoft documentation to configure SSO with SAML.

After you complete all the steps to prepare your Microsoft Entra ID application, complete the steps to configure SSO in the Databand UI.

Authenticating with Red Hat build of Keycloak

The following sections explain how to prepare your Red Hat build of Keycloak for SSO authentication.

To map a user from Red Hat build of Keycloak, you must first create three client scopes: Email, First name, and Last name.

The following steps explain how to create a client scope for Email.

  1. In your Red Hat build of Keycloak, go to Manage > Client scopes then click Create client scope.
  2. Enter a Name, such as saml-email, and a Description, for example SAML email.
  3. For the Protocol, choose SAML.
  4. Click Save.
  5. Go to the Mappers tab, click Add mapper, and choose By configuration.
  6. For Mapper type, choose User attribute.
  7. Enter a Name, Friendly name, and SAML attribute name such as Email.
  8. For User attribute, choose Email.
  9. Click Save.

Complete the same steps two more times. The first time, replace all uses of Email with First name. The second time, replace all uses of Email with Last name.

After you have 3 client scopes, proceed to create a new client in Keycloak.

Next, create a client in Keycloak.

  1. In Keycloak, go to Manage > Clients > Client details, then click Add Client ID.
  2. Enter a Client ID, Name, and Description, such as databand.
  3. Provide links in the following format. Make sure to replace the databand-host portion with your specific Databand host.
    • Root URL, such as https://databand-host
    • Home URL, such as https://databand-host/app/auth/login
    • Valid redirect URI https://databand-host/*
    • Valid post logout redirect URI, such as https://databand-host/*
  4. Set the toggles for the following SAML capabilities and Signature and Encryption properties:
    Table 1. SAML capabilities and their necessary settings
    Capability Setting
    Force name ID format Off
    Force POST binding Off
    Force artifact binding Off
    Include AuthnStatement On
    Include OneTimeUse Condition Off
    Optimize REDIRECT signing key lookup Off
    Allow ECP flow Off
    Sign documents On
    Sign assertions On
  5. Set the following properties:
    Signature algorithm
    RSA_SHA256
    SAML signature key name
    CERT_SUBJECT
    Canonicalization method
    EXCLUSIVE
  6. In the Client scopes tab, click Add client scope and add the three client scopes you previously created and the role_list.
  7. Next go to Configure > Realm settings > General. Copy the URL for SAML 2.0 Identity Provider Metadata and proceed to the Databand UI steps. The SAML 2.0 Identity Provider Metadata URL is used as your Metadata URL in the Databand UI.

Authenticating with Red Hat Single Sign-On

The following sections explain how to prepare for SSO authentication with Red Hat Single Sign-On.

To map a user from Red Hat Single Sign-On, you must first create three client scopes: Email, First name, and Last name.

  1. In Red Hat Single Sign-On, go to Manage > Client scopes then click Create client scope.
  2. Enter a Name and Description such as saml-email.
  3. For the Protocol, choose SAML.
  4. Click Save.
  5. Go to the Mappers tab and click Create.
  6. Enter a Name, such as Email.
  7. For the Mapper type, choose User attribute.
  8. Enter a User attribute, Friendly name, and SAML Attribute name, such as Email.
  9. For the SAML Attribute NameFormat, choose Unspecified.
  10. Click Save.

Complete the same steps two more times. The first time, replace all uses of Email with First name. The second time, replace all uses of Email with Last name.

After you have 3 client scopes, proceed to create a client in Keycloak.

Next, create a client in Keycloak.

  1. In Keycloak, go to Settings and add a client.
  2. Enter a Client ID, Name, and Description, such as databand.
  3. Set the Client Protocol as SAML.
  4. Make sure that the Include AuthnStatement and Sign Documents toggles are both On.
  5. Set the toggles for the following SAML capabilities and Signature and Encryption properties:
    Table 2. SAML capabilities and their necessary settings
    Capability Setting
    Sign assertions On
    Encrypt Assertions Off
    Client Signature Required Off
    Force POST Binding Off
    Front Channel Logout On
    Force Name ID Format Off
    Allow ECP Flow Off

  6. Set the following properties:

    Signature algorithm
    RSA_SHA256
    SAML signature key name
    CERT_SUBJECT
    Canonicalization method
    EXCLUSIVE
    Name ID Format
    Email

  7. Provide links in the following format. Make sure to replace the databand-host portion with your specific Databand host.

    • Root URL: https://databand-host
    • Base URL:https://databand-host/app/auth/login
    • Master SAML Processing URL: https://databand-host/service/sso/auth/keycloak
    • Valid redirect URI: https://databand-host/*

  8. In the Client scopes tab, click Add client scope and add the three client scopes you previously created and the role_list.

  9. Next go to Configure > Realm settings > General. Copy the URL for SAML 2.0 Identity Provider Metadata and proceed to the Databand UI steps. The SAML 2.0 Identity Provider Metadata URL is used as your Metadata URL in the Databand UI.

Now, complete the steps to configure SSO in the Databand UI.

Authenticating with Okta for SAML SSO

To use Okta as your SAML SSO authentication provider, you must provide the following information in Okta:

Entity ID
Set the Audience Restriction to Identity Provider Issuer. Both Audience and Issuer are defined in DBND__AB_AUTH__SAML_ENTITYID.
Attribute mappings
firstName
lastName
email
username
SSO and other URLs
Provide URLs in the following format: https://databand-host/saml/sso/saml-provider-name. For example, https://companyname/saml/sso/okta.

Now, complete the steps to configure SSO in the Databand UI.

For more information about configuring Okta with SAML, see the Okta documentation.