Skip to main content

Configuring Dataedo with Keycloak

caution

Currently, Keycloak SAML works only with the Client Signature Required option deactivated. We plan to support this option in a future release.

This guide will help you configure Dataedo to work with a SAML identity provider. While this article uses Keycloak as the IdP, similar steps apply to other providers.

Initial Configuration in Keycloak Admin Console

  1. Open the Keycloak Admin Console. Select your realm and navigate to the Clients tab.

    Keycloak Clients Tab

  2. Click Create to add a new client.

    Create a new client in Keycloak

  3. In the new window, enter a client ID (choose a name without spaces or special characters), set Client Protocol to saml, and click Save.

    Configure SAML protocol for Keycloak client

  4. On the next screen, disable the Client Signature Required option.

    Disable Client Signature Required

  5. Scroll to the Fine Grain SAML Endpoint Configuration section. Enter your Dataedo Portal's URL, appending /api/api/auth/assertion-consumer. For example: https://YourDataedoURL.com/api/api/auth/assertion-consumer

    Configure ACS URL in Keycloak

Configuring SAML in Dataedo Portal (Windows)

  1. Find the Dataedo installation directory (default: C:\Dataedo Web\), navigate to the Applications\API subfolder, and open appsettings.json.

  2. Update the appsettings.json file

    # This sample contains inline comments for explanation purposes.
    # JSON is a strict format and does not support comments.
    # Remove all comments (#) before using this configuration in your environment.
    {
    "Saml2": {
        # In the IdPMetadata field, paste the link to your Realm metadata file, which can be found in the Admin portal under the Realms Settings section.
        # Click on SAML 2.0 Identity Provider Metadata and copy the URL. Alternatively, download it directly from:
        # https://KeycloakServerURL.com/auth/realms/<REALM>/protocol/saml/descriptor
        "IdPMetadata": "https://KeycloakServerURL.com:/realms/master/protocol/saml/descriptor",

        # In the Issuer field, paste the address specified earlier in the Identifier field in Keycloak.
        # This can be checked in the Admin Portal under the Clients tab.
        "Issuer": "DataedoSSO",

        # If required, correct the signature algorithm if you’re not using RSA_SHA256.
        # For RSA_SHA1, use: http://www.w3.org/2001/04/xmldsig-more#rsa-sha1
        "SignatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",

        # Default is ChainTrust. This setting defines the certificate validation mode.
        "CertificateValidationMode": "ChainTrust",

        # Default is NoCheck. This setting defines the revocation mode.
        "RevocationMode": "NoCheck"
    },

    "Saml2Client": {
        # In the DisplayName field, enter the name shown when logging in to Dataedo for the Identity Provider.
        # Example: Keycloak SAML
        "DisplayName": "Keycloak SAML",

        # In the ClientUrl field, make sure it correctly leads to your Dataedo Portal address.
        # Example: https://127.0.0.1:4435
        "ClientUrl": "https://127.0.0.1:4435"
    }
    }

  3. Go to IIS Manager and restart the Dataedo Portal application to apply the changes.

  4. Open Dataedo Portal. You should see an option to log in with Keycloak SAML.

Keycloak SAML login in Dataedo

Configure Dataedo Portal (Docker Deployment)

  1. Locate your .env file in the same folder as docker-compose.yml and update the SAML configuration:

    Single sign-on configuration in docker-compose.yml
    # This sample contains inline comments for explanation purposes.
    # Remove all comments (#) before using this configuration in your environment.

    # In the DATAEDO_SSO_IDP_METADATA field, paste the link to your Realm metadata file, which can be found in the Admin portal under the Realms Settings section.
    # Click on SAML 2.0 Identity Provider Metadata and copy the URL. Alternatively, download it directly from:
    # https://KeycloakServerURL.com/auth/realms/<REALM>/protocol/saml/descriptor
    DATAEDO_SSO_IDP_METADATA="https://KeycloakServerURL.com:/realms/master/protocol/saml/descriptor"

    # In the DATAEDO_SSO_ISSUER field, paste the address specified earlier in the Identifier field in Keycloak.
    # This can be checked in the Admin Portal under the Clients tab.
    DATAEDO_SSO_ISSUER="DataedoSSO"

    # If required, correct the signature algorithm if you’re not using RSA_SHA256.
    # For RSA_SHA1, use: http://www.w3.org/2001/04/xmldsig-more#rsa-sha1
    DATAEDO_SSO_SIGNATURE_ALGORITHM=http://www.w3.org/2001/04/xmldsig-more#rsa-sha256

    # Certificate validation mode. Default is ChainTrust.
    DATAEDO_SSO_CERTIFICATE_VALIDATION_MODE=ChainTrust

    # Revocation mode. Default is NoCheck.
    DATAEDO_SSO_REVOCATION_MODE=NoCheck

    # In the DATAEDO_SSO_DISPLAY_NAME field, enter the name shown when logging in to Dataedo for the Identity Provider.
    # DisplayName cannot contain spaces; use underscores (_) instead.
    DATAEDO_SSO_DISPLAY_NAME="Keycloak_SAML"

    # In the DATAEDO_SSO_CLIENT_URL field, make sure it correctly leads to your Dataedo Portal address.
    DATAEDO_SSO_CLIENT_URL="https://yourwebsite.com/"

  2. Run the following command to apply the changes:

    docker-compose up -d

  3. Open Dataedo Portal. The Keycloak SAML login option should now appear.

    Keycloak SAML login in Dataedo

With these steps complete, your Dataedo Portal will now integrate with Keycloak SAML. Log in to verify the configuration!

Need help?

If you run into any problems or have questions, reach out to Dataedo support.

On this page
Dataedo LogoDataedo Logo
If you have any questions or need assistance, feel free to reach out to the Dataedo support team.
Dataedo support