Authenticating Dataedo Portal with Keycloak (with SAML)

Disclaimer: Currently Keycloak SAML works only with disabled Client Signature Required option. We plan to add support for this option in next release.

This guide will show how to configure Dataedo to work with a SAML identity provider. For this article, we'll be using Keycloak as the IdP, but similar steps can be taken for other providers too.

Initial configuration in Keycloak Admin Console (SAML provider)

Open your Keycloak Admin Console and chose your realm that you want to use, and select Clients tab:

Click on Create to add new client:

Ine new window enter your client ID (it's up to you how you will call it, don't use spaces and special characters), change Client Protocol to saml and click Save:

On the next screen disable option Client Signature Required:

Scroll down to Fine Grain SAML Endpoint Configuration section and enter Assertion Consumer Service POST Binding URL the address of your Dataedo Portal will be accessed on followed by /api/api/auth/assertion-consumer (for example https://YourDataedoURL.com/api/api/auth/assertion-consumer):

Configuring SAML in Dataedo Portal settings file

Follow this section for Dataedo installed on a Windows machine.

Find the installation path of Dataedo Portal (default address is: *C:\Dataedo Web*), then go to Applications\API\ subfolder.

Right click and edit the appsettings.json file, and find the Saml2 section:

  "Saml2": {
    "IdPMetadata": "",
    "Issuer": "",
    "SignatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
    "CertificateValidationMode": "ChainTrust",
    "RevocationMode": "NoCheck"
  },

In the IdPMetadata field paste the link do your Realm metadata file, link can be found at Admin portal in Realms Settings section. Click on SAML 2.0 Identity Provider Metadata and copy the URL: Alternatively, the IdP metadata can be downloaded directly from the descriptor URL: https://KeycloakServerURL.com/auth/realms//protocol/saml/descriptor

In the Issuer field, paste the address specified before in the Identifier field in Keycloak (you can check it in Admin Portal by clicking on the Clients tab ).

If required, correct the signature algorithm if you don’t use the default RSA_SHA256 algorithm - for example, for RSA_SHA1 the field should have the http://www.w3.org/2001/04/xmldsig-more#rsa-sha1 value.

Find the Saml2Client section:

  "Saml2Client": {
    "DisplayName": "",
    "ClientUrl": "https://YourDataedoURL.com"
  },

Fill the DisplayName field – this will be the name shown when logging in to Dataedo for the Identity Provider.

Make sure the ClientUrl field correctly leads to your Dataedo Portal address.

After changes, the edited parts should look like this:

  "Saml2": {
    "IdPMetadata": "https://KeycloakServerURL.com:/realms/master/protocol/saml/descriptor",
    "Issuer": "DataedoSSO",
    "SignatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
    "CertificateValidationMode": "ChainTrust",
    "RevocationMode": "NoCheck"
  },
  "Saml2Client": {
    "DisplayName": "Keycloak SAML",
    "ClientUrl": "https://127.0.0.1:4435"
  },

Go to IIS Manager, and restart the Dataedo Portal app for changes to take effect.

The next time you open Dataedo Portal, you should have an option to login with Keycloak SAML:

Clicking it will either take you to the Keycloak login page or if you’re already logged in, directly to your Dataedo Portal page.

Configuring SAML in Dataedo Portal Docker image

Follow this section for Dataedo Portal running from a Docker image.

Open .env file that should be located in same folder as docker-compose.yml file, find Single Sign On section:

    #Single Sign On
    DATAEDO_SSO_IDP_METADATA=
    DATAEDO_SSO_ISSUER=
    DATAEDO_SSO_SIGNATURE_ALGORITHM=http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
    DATAEDO_SSO_CERTIFICATE_VALIDATION_MODE=ChainTrust
    DATAEDO_SSO_REVOCATION_MODE=NoCheck
    DATAEDO_SSO_DISPLAY_NAME=
    DATAEDO_SSO_CLIENT_URL=

In the DATAEDO_SSO_IDP_METADATA field paste the link do your Realm metadata file, link can be found at Admin portal in Realms Settings section. Click on SAML 2.0 Identity Provider Metadata and copy the URL: Alternatively, the IdP metadata can be downloaded directly from the descriptor URL: https://KeycloakServerURL.com/auth/realms//protocol/saml/descriptor

In the DATAEDO_SSO_ISSUER field, paste the address specified before in the Identifier field in Keycloak (you can check it in Admin Portal by clicking on the Clients tab ).

If required, correct the signature algorithm if you don’t use the default RSA_SHA256 algorithm - for example, for RSA_SHA1 the field should have the http://www.w3.org/2001/04/xmldsig-more#rsa-sha1 value.

Fill the DATAEDO_SSO_DISPLAY_NAME field – this will be the name shown when logging in to Dataedo for the Identity Provider. The DisplayName value cannot contain blank spaces (you can use underscore _ instead).

Make sure the DATAEDO_SSO_CLIENT_URl field correctly leads to your Dataedo Portal address.

After changes, the edited parts should look like this:

    #Single Sign On
    DATAEDO_SSO_IDP_METADATA="https://KeycloakServerURL.com:/realms/master/protocol/saml/descriptor"
    DATAEDO_SSO_ISSUER="DataedoSSO"
    DATAEDO_SSO_SIGNATURE_ALGORITHM=http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
    DATAEDO_SSO_CERTIFICATE_VALIDATION_MODE=ChainTrust
    DATAEDO_SSO_REVOCATION_MODE=NoCheck
    DATAEDO_SSO_DISPLAY_NAME="Keycloak_SAML"
    DATAEDO_SSO_CLIENT_URL="https://yourwebiste.com/"

Update your Docker Compose with:

docker-compose up -d

The next time you open Dataedo Portal, you should have an option to login with Keycloak SAML:

Clicking it will either take you to the Keycloak login page or if you’re already logged in, directly to your Dataedo Portal page.