Profile required: Superuser
Security Assertion Markup Language (SAML) is an open-standard data format for exchanging authentication and authorization data between an identity provider IdP (client) and a service provider SP (Borealis). This standard process makes it possible to log users into applications based on sessions in another context. With SAML, the client manages all aspects of authentication, including username, password, password strength, etc.
Activate SAML for your organization
- In the navigation menu, go to Users > Authentication settings.
- In the record menu, select SAML > Connection configuration. If you do not see the SAML section, contact our Help desk.
- Click on the Edit icon that appears on the upper-right.
- Check the SAML enabled box. Upload your identity provider certificate (.cer file) and enter the Entry point (SingleSignOnService URL) from your identity provider.
NOTE: This will switch all the current users to SAML as soon as you save.
- Validate the additional options available:
- Allow creation of non-SAML users: Check this box only if there will be users, like contractors, who will need to log in to Borealis using a Borealis login instead of going through SAML.
- Enable SP-initiated single logout: Service provider initiatedSingle logout (SLO) allows Borealis to send a logout request to the identity provider when a user logs out of Borealis.If you want to enable SP-initiated single logout, check the box and enter identity provider Single logout URL.
- Click on Save.
- If you need the service provider certificate, click on the Actions button then on Download service_provider.cer. You will need to upload this to your identity provider.
- Copy this information to your identity provider
- Issuer (Entity ID)
- SAML login URL
- SAML logout URL
Alternatively, click on the Actions button to download the service_provider.xml fileto upload it to your identity provider.
This section allows configuring an authentication context. If you need to setup an authentication context, uncheck the box and confirm that the context is the right one in the Authentication context (Authn context) field. At the moment, the only signature algorithm supported is sha256.
This section will be automatically filled with the claims that Borealis will expect for the UserID, Firstname, Lastname and Email. You can change this if they do not fit your structure.
By default, the Auto Create User option is activated. This means that if a user tries to connect to Borealis for the first time, their user will be created automatically. They will not have access to any data however, so they will still need to be assigned to profiles and projects.
Testing your SAML setup
Keep your session open and use a new browser or an incognito/private window to log in to Borealis. You should be redirected to your federation login page and then back to Borealis with your normal access.
What to do?
I am not redirected to my federation login page.
Check that the SAML enabled option is activated and that the Entry point is right.
I am sent to Borealis but I do not have access to anything.
This means a new user has been created. Check the User configuration section to confirm that the claims are set up properly. You should then delete or deactivate the new user that was created and test again.
After logging in with my federation, I get this error:
SAML authentication has failed, please contact Borealis support”
-Check that the identity provider certificateuploaded is the correct one.
- Check in your identity provider that the user has been granted access to Borealis.
If you cannot make it work, uncheck the SAML enabled option and save. This will revert all the users to a normal login and their old password will work.
If you are stuck or need more information, do not hesitate to contact us at email@example.com.