Security - SAML 2.0 IdP Integration
Â
Introduction
ModelOp Center integrates with SAML 2.0 to enable enterprise-grade authentication and access control, allowing isolation of models by authorized groups.
Overview
The saml-support-service
is an optional microservice in the ModelOp Center install. This service is the bridge between components using SAML 2.0 and components using OAuth 2.x. The roles of the saml-support-service
include:
SAML 2.0 Service Provider (SP)
OAuth 2.x Authorization Server (AS).
When in the role of SP, the saml-support-service
is responsible for initiating user authentication with a SAML request to the SAML identity provider (IdP). After receiving the SAML assertion, the saml-support-service
validates it and parses the necessary information: the username, user attributes, etc.
When in the role of AS, the saml-support-service
is responsible for creating OAuth 2.x tokens. The payload of the OAuth 2.x tokens will include the parsed necessary information from the SAML assertion.
The implementation of both roles is done using Spring.
ForgeRock: The SAML IdP responsible for authenticating users on behalf of ModelOp Center as well as providing necessary user information as part of the SAML assertion.
Prerequisites
For a successful integration of ModelOp Center with a SAML 2.0 IdP, the following prerequisites must be met:
Supported SAML 2.0 IdPs:
ForgeRock 7.1.x
ForgeRock:
Entity providers:
Configure
ForgeRock
as hosted IdPAssertion Content
Sign logout request
Sign logout response
Assertion Processing
SAML Attribute*:
uid
givenName
lastName
email
groups**
Configure
saml-support-service
as remote SPAssertion Content
Sign logout response
Circle of Trust
Configure a circle of trust between the aforementioned entity providers
Required information for ModelOp Center configuration:
ForgeRock URL
ForgeRock metadata URL
ForgeRock logout URL
saml-support-service:
Signing credentials
Configure the private key and certificate for signing SAML requests
SP metadata file***
Known Limitations
The OAuth 2.x Authorization Server does NOT support the following grant types:
Password Grant Flow
Impacts ModelOp CLI
Implicit Grant Flow
Impacts Jupyter and Tableau integrations
Â
*The listed SAML Attribute names (uid, givenName…) are only examples. The customer may use other names for each SAML attribute
**The groups to which the user belongs. The groups will be used in ModelOp Center
***The metadata file will be generated once the saml-support-service is deployed because some of its contents depend on the saml-support-service URL