Dataedo Web SAML configuration with Keycloak

Marcin Gaweł - Dataedo Team Marcin Gaweł 25th April, 2023
Applies to: Dataedo 10.x versions, Article available also for: 24.x (current), 23.x
You are looking at documentation for an older release.
Switch to the documentation for Dataedo 24.x (current).

Disclaimer: Currently Keycloak SAML works only with disabled Client Signature Required option. We plan to add support for this option in next release.

This guide will show how to configure Dataedo to work with a SAML identity provider. For this article, we'll be using Keycloak as the IdP, but similar steps can be taken for other providers too.

Initial configuration in Keycloak Admin Console (SAML provider)

Open your Keycloak Admin Console and chose your realm that you want to use, and select Clients tab: Image title

Click on Create to add new client: Image title

Ine new window enter your client ID (it's up to you how you will call it, don't use spaces and special characters), change Client Protocol to saml and click Save: Image title

On the next screen disable option Client Signature Required: Image title

Scroll down to Fine Grain SAML Endpoint Configuration section and enter Assertion Consumer Service POST Binding URL the address of your Dataedo Web will be accessed on followed by /api/api/auth/assertion-consumer (for example https://YourDataedoURL.com/api/api/auth/assertion-consumer): Image title

Configuring SAML in Dataedo Web settings file

Find the installation path of Dataedo Web (default address is: *C:\Dataedo Web*), then go to Applications\API\ subfolder.

Right click and edit the appsettings.json file, and find the Saml2 section:

  "Saml2": {
    "IdPMetadata": "",
    "Issuer": "",
    "SignatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
    "CertificateValidationMode": "ChainTrust",
    "RevocationMode": "NoCheck"
  },

In the IdPMetadata field paste the link do your Realm metadata file, link can be found at Admin portal in Realms Settings section. Click on SAML 2.0 Identity Provider Metadata and copy the URL: Image title Alternatively, the IdP metadata can be downloaded directly from the descriptor URL: https://KeycloakServerURL.com/auth/realms//protocol/saml/descriptor

In the Issuer field, paste the address specified before in the Identifier field in Keycloak (you can check it in Admin Portal by clicking on the Clients tab ).

If required, correct the signature algorithm if you don’t use the default RSA_SHA256 algorithm - for example, for RSA_SHA1 the field should have the http://www.w3.org/2001/04/xmldsig-more#rsa-sha1 value.

Find the Saml2Client section:

  "Saml2Client": {
    "DisplayName": "",
    "ClientUrl": "https://YourDataedoURL.com"
  },

Fill the DisplayName field – this will be the name shown when logging in to Dataedo for the Identity Provider.

Make sure the ClientUrl field correctly leads to your Dataedo Web address.

After changes, the edited parts should look like this:

  "Saml2": {
    "IdPMetadata": "https://KeycloakServerURL.com:/realms/test/protocol/saml/descriptor",
    "Issuer": "DataedoSSO",
    "SignatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
    "CertificateValidationMode": "ChainTrust",
    "RevocationMode": "NoCheck"
  },
  "Saml2Client": {
    "DisplayName": "Keycloak SAML",
    "ClientUrl": "https://127.0.0.1:4435"
  },

Go to IIS Manager, and restart the Dataedo Web app for changes to take effect.

The next time you open Dataedo Web, you should have an option to login with Keycloak SAML:

Image title

Clicking it will either take you to the Keycloak login page or if you’re already logged in, directly to your Dataedo Web page.