Required Permission: Settings management (Read more about permissions in User Groups)

Table of Contents

Graphlytic supports Single sign-on integration with external Identity Providers (IdP) using the SAML2 protocol.

1. How it works

When the SAML2 integration is enabled the Login page includes an SSO login option (the title of the button is configurable).

After clicking on the "External SSO" option the user is redirected to the login page of the Identity Provider.

After successful login on the Identity Provider side and redirect back to the Graphlytic application the user is logged into the application with these possible scenarios:

  1. The user already exists in Graphlytic: then the user is logged into the application and his user group mappings are updated according to the information received from IdP and mapping defined in the SAML2 integration configuration.

  2. The user is not yet created in Graphlytic: then the user is created (if the licensed amount of users has been not reached yet) and his user group mappings are updated according to the information received from IdP and mapping defined in the SAML2 integration configuration. To correctly log in, a user has to be assigned to at least one User Group based on group (LDAP) mapping. If you want to make sure that the user can always log in, please fill out the "Fallback group", which will be assigned to users with no group during the identity provisioning process.

2. Configuration

2.1. Identity Provider connection configuration

To update SSO settings use the Single Sign-On panel on the Settings page.

UI field

Example value

Description

Single Sign-On enabled


Switch for turning on/off the Single Sign-On functionality.

Login Label

Sign in with SSO

Title of the Login page button. If missing the Name of IdP will be used instead.

Verifying certificate

-----BEGIN CERTIFICATE-----

MIIDBTCCAe2gAwIBAgIQH4Fl...
-----END CERTIFICATE-----

IdP certificate for IdP signing verification. This certificate is used to verify that the response is correct and that it was sent from the contacted IdP.

Decryption certificate

-----BEGIN CERTIFICATE-----

MIIDBTCCAe2gAwIBAgIQH4FI...
-----END CERTIFICATE-----

IdP certificate for decryption. Can be empty for no encryption of communication with the IdP. If defined, this certificate is used to decrypt messages from IdP.

IdP entity ID

active_directory_id

The IdP entity identifier (Asserting Party Entity Id).

Graphlytic entity ID

graphlytic_idp_id

The local application (Graphlytic) ID for IdP communication. Has to be created in the IdP configuration.

SSO Redirect URL

https://idp_url_for_login.com/sso

Login redirect URL. The user will be redirected to this location during the login workflow.

Assertion Consumer URL

https://domain.com/login/saml2/sso/idpid

Assertion URL where the successfully logged-in user is redirected back from the IdP. If not defined a default value is used (this value is sent in the IdP request and some IdPs are automatically reading and using this value).

Manage groups in IdP

If turned on then Graphlytic updates user groups based on IdP assertion claim on every log-in.

Group claim

claims/role

The claim name in the returned XML where the user group mappings are returned.

Fallback group

read-only-group-name

Used only when "Manage groups in IdP" is turned on. Name of a Graphlytic user group that will be used if no mapping was successful. If the Fallback group is not configured or the group doesn't exist in Graphlytic then such user (with no valid user groups) is not created in Graphlytic (to minimize license consumption).

Default group

read-only-group-name

Used only when "Manage groups in IdP" is turned off. It’s the name of a Graphlytic user group that will be assigned to every user created based on successful SSO log-in.

2.2. User groups mapping

Mapping of LDAP groups stored in the Identity Provider to Graphlytic groups is done in the User Groups management. Every Graphlytic user group can have assigned multiple LDAP groups that will be used to map them to the Graphlytic groups during the user's login process.

2.3. Default Configuration

The default configuration can be overridden in the graphlytic.conf file (application needs to be restarted after any change in this conf file).

More information can be found on the Configuration page.

3. Example configuration of Azure Active Directory

Azure active directory can be used as an SSO provider with Graphlytic.

We assume the tenant, app registration, user, and group are successfully created using Microsoft manual.

Atribute

Example Value

Description

Verifying Certificate

-----BEGIN CERTIFICATE-----

MIIDBTCCAe2gAwIBAgIQH4FlYAM+UJlF0G3vy9ZrhTANBgkq……….
-----END CERTIFICATE-----

Depending on your infrastructure, there could be a need to set the certificate needed to verify the SAML assertion.

See chapter "3.1. VERIFYING CERTIFICATE" for more information

Decryption certificate

Not needed for Azure Entra ID (if not specifically configured), leave empty.

IdP entity ID

https://sts.windows.net/87654321-4321-4321-4321-3d7hh723f7/

Should be in the form of "https://sts.windows.net/{TENANT_ID}/"

In our example {TENANT_ID} is 87654321-4321-4321-4321-3d7hh723f7

Please do not forget the slash “/” and the end of the IdP entity ID string

See chapter "3.2. TENANT ID" for more information

Graphlytic entity ID

spn:12345678-1234-1234-1234-971777321736

Should be in the form of "spn:{Application_ID}",

in our example {Application_ID} = 12345678-1234-1234-1234-971777321736

See chapter "3.3. APPLICATION ID" for more information

SSO Redirect URL

https://login.microsoftonline.com/87654321-4321-4321-4321-3d59c8323023/saml2

SAML-P sign-on endpoint

See chapter "3.4. SAML-P" for more information

Assertion Consumer URL

https://my-domain.com/login/saml2/sso/idpid

The url must end with /login/saml2/sso/idpid

This value is set in Azure Active Directory → App Registration → Redirect URIs

See chapter "3.5. REDIRECT URLS" for more information

Group Claim

http://schemas.microsoft.com/ws/2008/06/identity/claims/groups

For Azure Entra ID it’s usually one of these:

3.1. VERIFYING CERTIFICATE 

Verifying certificate is part of the “Federation metadata document” that can be downloaded using the link in the Endpoints panel (see picture below).

In the metadata XML file the certificate is located under: EntityDescriptor → Signature → KeyInfo → X509Data → X509Certificate

Please use the whole text beginning with -----BEGIN CERTIFICATE----- and ending with -----END CERTIFICATE-----

3.2. TENANT ID 

3.3. APPLICATION ID 

3.4. SAML-P

3.5. REDIRECT URLS