Authenticating Dataedo Portal with Duo (with SAML)

Applies to: Dataedo 24.x (current) versions, Article available also for: 10.x, 23.x

This guide will show how to configure Dataedo to work with a SAML identity provider. For this article, we'll be using Duo as the IdP, but similar steps can be taken for other providers too.

Initial configuration in Duo Admin Portal (SAML provider)

Open Duo Admin Portal and go to Enterprise Applications. Choose the Applications option, and click the Protect an Application button: Image title

On the new page, type in "generic saml" in the filter box, then press the Protect button in the Generic SAML Service Provider line: Image title

You should see a new page now: Image title

Scroll to the Service provider section. Type in a unique string (this can be e.g. the address of your Dataedo Portal) in the Entity ID field - you will need this value later.

In the Assertion Consumer Service (ACS) URL field type in the address your Dataedo Portal will be accessed on followed by /api/api/auth/assertion-consumer (for example https://your-Dataedo-Web.address/api/api/auth/assertion-consumer). Image title

In the Settings section, specify the name displayed for the users in Duo during login: Image title

Configure user access as usual, then click Save at the bottom of the page. Image title

Scroll back to the top of the page, then copy the adress marked as Metadata Url from the Metadata section - you will need it later.

Configuring SAML in Dataedo Portal settings file

Follow this section for Dataedo installed on a Windows machine.

Find the installation path of Dataedo Portal (default address is: *C:\Dataedo Web*), then go to Applications\API\ subfolder.

Right click and edit the appsettings.json file, and find the Saml2 section:

  "Saml2": {
    "IdPMetadata": "",
    "Issuer": "",
    "SignatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
    "CertificateValidationMode": "ChainTrust",
    "RevocationMode": "NoCheck"
  },

Paste the Metadata Url link in the IdPMetadata field (alternatively, paste in the path for the metadata xml file).

In the Issuer field, paste the address specified before in the Entity ID field field in Duo (you can check it in Service Provider > Identifier field in the application details in Duo Admin portal).

For the SignatureAlgorithm field paste in "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256". If using a different signature algorithm, paste its link instead - for example, for RSA_SHA1 the field should have the http://www.w3.org/2001/04/xmldsig-more#rsa-sha1 value.

Find the Saml2Client section:

  "Saml2Client": {
    "DisplayName": "",
    "ClientUrl": "http://192.168.0.21:80"
  },

Fill the DisplayName field – this will be the name shown when logging in to Dataedo for the Identity Provider.

Make sure the ClientUrl field correctly leads to your Dataedo Web address.

After changes, the edited parts should look like this:

  "Saml2": {
    "IdPMetadata": "https://sso-a06d2d5e.sso.duosecurity.com/saml2/sp/DI7SDPCIHNSN9MOYP7QK/metadata",
    "Issuer": "Dataedo_PT_VM",
    "SignatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
    "CertificateValidationMode": "ChainTrust",
    "RevocationMode": "NoCheck"
  },
  "Saml2Client": {
    "DisplayName": "Duo Security",
    "ClientUrl": "https://127.0.0.1:443"
  },

Go to IIS Manager, and restart the Dataedo Web app for changes to take effect.

The next time you open Dataedo Web, you should have an option to login with Duo Security:

Image title

Clicking it will either take you to the Duo login page and then to your Dataedo Web page.

Configuring SAML in Dataedo Web Docker image

Follow this section for Web Catalog running from a Docker image.

Open .env file that should be located in same folder as docker-compose.yml file, find Single Sign On section:

    #Single Sign On
    DATAEDO_SSO_IDP_METADATA=
    DATAEDO_SSO_ISSUER=
    DATAEDO_SSO_SIGNATURE_ALGORITHM=http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
    DATAEDO_SSO_CERTIFICATE_VALIDATION_MODE=ChainTrust
    DATAEDO_SSO_REVOCATION_MODE=NoCheck
    DATAEDO_SSO_DISPLAY_NAME=
    DATAEDO_SSO_CLIENT_URL=

Paste the Metadata Url link in the DATAEDO_SSO_IDP_METADATA field (alternatively, paste in the path for the metadata xml file).

In the DATAEDO_SSO_ISSUER field, paste the address specified before in the Entity ID field field in Duo (you can check it in Service Provider > Identifier field in the application details in Duo Admin portal).

For the SignatureAlgorithm field paste in "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256". If using a different signature algorithm, paste its link instead - for example, for RSA_SHA1 the field should have the http://www.w3.org/2001/04/xmldsig-more#rsa-sha1 value.

Fill the DATAEDO_SSO_DISPLAY_NAME field – this will be the name shown when logging in to Dataedo for the Identity Provider. The DisplayName value cannot contain blank spaces (you can use underscore _ instead).

Make sure the DATAEDO_SSO_CLIENT_URL field correctly leads to your Dataedo Web address.

After changes, the edited parts should look like this:

    #Single Sign On
    DATAEDO_SSO_IDP_METADATA="https://sso-a06d2d5e.sso.duosecurity.com/saml2/sp/DI7SDPCIHNSN9MOYP7QK/metadata"
    DATAEDO_SSO_ISSUER="Dataedo_PT_VM"
    DATAEDO_SSO_SIGNATURE_ALGORITHM=http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
    DATAEDO_SSO_CERTIFICATE_VALIDATION_MODE=ChainTrust
    DATAEDO_SSO_REVOCATION_MODE=NoCheck
    DATAEDO_SSO_DISPLAY_NAME="Duo_Security"
    DATAEDO_SSO_CLIENT_URL="https://yourwebiste.com/"

Update your Docker Compose with:

docker-compose up -d

The next time you open Dataedo Web, you should have an option to login with Duo Security:

Image title

Clicking it will either take you to the Duo login page and then to your Dataedo Web page.