forked from SkylineCommunications/dataminer-docs
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request SkylineCommunications#2246 from SkylineCommunicati…
…ons/Configuring-SAML-settings Overhaul SAML configuration
- Loading branch information
Showing
22 changed files
with
815 additions
and
519 deletions.
There are no files selected for viewing
58 changes: 58 additions & 0 deletions
58
...nced_security_configuration/Configuring_SAML/SAML_config_to_connect_to_cloud.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,58 @@ | ||
| --- | ||
| uid: SAML_config_to_connect_to_cloud | ||
| --- | ||
|
|
||
| # Additional configuration for systems connected to dataminer.services | ||
|
|
||
| When you connect a DataMiner System for which SAML has already been configured to dataminer.services, three URLs need to be added to the identity provider configuration and the DataMiner metadata file: | ||
|
|
||
| 1. Update the identity provider configuration: | ||
|
|
||
| - If you are using **Microsoft Entra ID** or **Azure B2C**, update the configuration of your DataMiner enterprise application: | ||
|
|
||
| 1. Navigate to ``portal.azure.com`` and log in. | ||
|
|
||
| 1. In the search box at the top, enter *Enterprise applications* to go to the Enterprise Applications page. | ||
|
|
||
| 1. Select the application that was created for DataMiner. | ||
|
|
||
| 1. In the pane on the left on your DataMiner application page, click *Single sign-on*. | ||
|
|
||
| 1. Next to *Basic SAML Configuration*, click *Edit*. | ||
|
|
||
| 1. Under *Reply URL*, add the following URLs, replacing `<dms-dns-name>` with the DNS name in the *spMetadata.xml* file and `<organization-name>` with the name of the organization: | ||
|
|
||
| - `https://<dms-dns-name>-<organization-name>.on.dataminer.services/API/` | ||
| - `https://<dms-dns-name>-<organization-name>.on.dataminer.services/account-linking` | ||
| - `https://<dms-dns-name>-<organization-name>.on.dataminer.services/account-linking/` | ||
|
|
||
| > [!NOTE] | ||
| > Note the trailing "/". | ||
| Example of remote access URL: `https://dataminer-skyline.on.dataminer.services` | ||
|
|
||
| In this example, the DMS DNS name is "dataminer" and the organization name is "skyline". | ||
|
|
||
| 1. In the top-left corner, click *Save*. | ||
|
|
||
| - If you are using **Okta**, add the three URLs mentioned above to *Other Requestable SSO URLs*. See [Configuring SAML with Okta](xref:SAML_using_Okta). | ||
|
|
||
| 1. Update your DataMiner metadata file: | ||
|
|
||
| 1. Open the file *spMetadata.xml*. Usually, this is located in the `C:\Skyline DataMiner` folder. | ||
|
|
||
| 1. Add the new URLs to this file as illustrated below. | ||
|
|
||
| In the example below, the remote access URL is `https://dataminer-skyline.on.dataminer.services`: | ||
|
|
||
| ```xml | ||
| <?xml version="1.0" encoding="UTF-8"?> | ||
| <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="[ENTITYID]" validUntil="2050-01-04T10:00:00.000Z"> | ||
| <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> | ||
| ... | ||
| <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://dataminer-skyline.on.dataminer.services/API/" index="1" isDefault="true"/> | ||
| <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://dataminer-skyline.on.dataminer.services/account-linking" index="2" isDefault="false"/> | ||
| <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://dataminer-skyline.on.dataminer.services/account-linking/" index="3" isDefault="false"/> | ||
| </md:SPSSODescriptor> | ||
| </md:EntityDescriptor> | ||
| ``` |
36 changes: 36 additions & 0 deletions
36
...curity/Advanced_security_configuration/Configuring_SAML/SAML_using_Azure_B2C.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,36 @@ | ||
| --- | ||
| uid: SAML_using_Azure_B2C | ||
| --- | ||
|
|
||
| # Configuring SAML with Azure B2C as identity provider | ||
|
|
||
| From DataMiner 10.2.6/10.3.0 onwards, DataMiner supports Azure B2C as an identity provider for external authentication via SAML. | ||
|
|
||
| To configure this: | ||
|
|
||
| 1. Configure Azure B2C. See [Azure Active Directory B2C documentation | Microsoft Docs](https://docs.microsoft.com/en-us/azure/active-directory-b2c/). | ||
|
|
||
| 1. Set up an Entra ID Enterprise application. You can do this in the same way as for [Entra ID](xref:SAML_using_Entra_ID#setting-up-a-microsoft-entra-id-enterprise-application). | ||
|
|
||
| 1. Create a DataMiner metadata file. You can do this in the same way as for [Entra ID](xref:SAML_using_Entra_ID#creating-a-dataminer-metadata-file). | ||
|
|
||
| 1. Configure policies for Azure B2C. See [Tutorial: Create user flows and custom policies in Azure Active Directory B2C | Microsoft Docs](https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows?pivots=b2c-custom-policy). | ||
|
|
||
| 1. Get the metadata URL: | ||
|
|
||
| 1. In Azure, go to *App registrations*, select your app, and select *Overview* > *Endpoints*. | ||
|
|
||
|  | ||
|
|
||
| 1. Select the Azure AD B2C SAML metadata endpoint, e.g. `https://dataminerservices.b2clogin.com/dataminerservices.onmicrosoft.com/<policy-name>/Samlp/metadata`, and replace \<policy-name> with the name of the policy you created earlier. | ||
|
|
||
| 1. Configure DataMiner to use external authentication. You can do this in the same way as for [Entra ID](xref:SAML_using_Entra_ID#configuring-dataminerxml-to-use-external-authentication). | ||
|
|
||
| For the *ipMetadata* link, use the link created in the previous step. | ||
|
|
||
| 1. Configure DataMiner to automatically create users from Azure B2C. You can do this in the same way as for [Entra ID](xref:SAML_using_Entra_ID#configuring-automatic-creation-of-users-authenticated-by-entra-id-using-saml). | ||
|
|
||
| > [!NOTE] | ||
| > | ||
| > - If you use Azure B2C, users can only be provisioned automatically. Provisioning users by importing them is not possible. | ||
| > - To create SAML users in DataMiner using Azure B2C, a domain is required in the usernames. For this reason, email addresses must be used as the usernames. If the default username of the identity provider is not a valid email address, add a `<PreferredLoginClaim>` element to the `<AutomaticUserCreation>` element in *DataMiner.xml* that refers to a claim containing a valid email address. |
Oops, something went wrong.