Setting up SAML with Azure AD
SAML - Configure Azure AD
As a first step, we'll need to download the Federation metadata XML from Azure AD which will be uploaded later in TrendMiner's ConfigHub.
Aside from that, the user and security claims need to be set up correctly. With this configuration, Azure AD will return the correct Subject in the response for use in TrendMiner.
Navigate in Azure AD to your SAML application, and open the Single Sign-on section.
In the upper section, "Basic SAML Configuration", leave placeholders for the required fields like Entity ID. These values will be overwritten in later steps when the metadata file from TrendMiner is imported back into Azure AD.
Download the Federation Metadata XML. This file will be used to upload in TrendMiner ConfigHub in later steps.
Configure user attributes & claims. This enables the automatic creation of user profiles, including the user name they will be identified with in TrendMiner.
Click the "Edit"-button under "User Attributes & Claims"
Click on the "Unique User Identifier (Name ID)" option.
Ensure the “Name identifier format” is set to a format of your choice. Note that the source attribute "user.userprincipalname" refers to the email in Azure. Under "Source" select ''Transformation" and add the "ToLowercase()" transformation for the "user.userprincipalname" as shown in the screenshot below.
Configure groups. This helps you leverage existing group memberships to set access rights to data sources automatically.
Click the "Edit"-button under "User Attributes & Claims"
Click the "Add a group claim"-option.
Set the Group Claims as desired. An example is shown in the screenshot below; this needs to be adjusted to fit your preferences:
Associated groups to be returned in the claim: to avoid clutter, the recommendation is to select "Groups assigned to the application".
Source attribute: Select your preference according to the Azure AD documentation. In most cases, either sAMAccountName (for groups that are synchronized from an on-premise Active Directory setup into Azure AD) or Group names for cloud-only groups (for groups that were created directly in Azure AD) will be desired, as these return human-readable names that can be used in TrendMiner's ConfigHub.
Add users/groups to the application. This enables the admin to provide explicit access only to those users and groups that should be able to use TrendMiner, according to the provisioned license capacity for named users.
Navigate to "the Users and Groups" tab.
Click the Add "user/group" button and add users/groups.
Continue with the steps for TrendMiners ConfigHub configuration as explained in the next section of this document.
SAML - ConfigHub Configuration
After setting up the initial application in your Identity Provider, we can continue in TrendMiner's ConfigHub. Via ConfigHub we can see an overview of the existing Identity Providers and have the ability to configure a new one.
Navigate to ConfigHub and open the "Identity Providers" tab in the "Security" section.
Click the "Add provider"-button.
Select the SAML option.
Create a TrendMiner backup.
Upload a Self-signed certificate if necessary. Self-signed certificates might be necessary if the IDP uses a custom CA certificate over HTTPS.
Indicate whether a signed Assertion is expected.
Fill out the details for the SAML configuration:
Name: Display name in ConfigHub and used as root group. This name is only used within ConfigHub for admins to recognize the configuration. It does not further relate to any technical SAML details.
Base domain: Used in URLs of the SP metadata file. Eg: where the IDP has to redirect after identification.
NameID Policy Format: A dropdown to select the policy format as being used by the SAML provider (e.g. Azure or Okta). Possible values are: Persistent, Transient, Email, Kerberos, X.509 Subject Name, Windows Domain Qualified Name, Unspecified
Principal Type: A dropdown to select the principal type as being used by the SAML provider. Possible values are: Subject name ID, Attribute name, Attribute friendly name
Principal Attribute: In case Attribute name or Attribute friendly name was selected as an option from the Principal Type dropdown, an extra input field will become visible that allows you to enter the name of the specific attribute to be used
Identity provider metadata file: Upload the Federation Metadata XML file you have downloaded from the IdP in the previous section.
Enable Attributes Mapping: Optional setting to map SAML assertions into ConfigHub. Note that the mappings need to correspond with the attribute names used from the IdP (see previous section). For Azure, this corresponds to the claim name (e.g. http://schemas.microsoft.com/ws/2008/06/identity/claims/groups) while for Okta this corresponds to the given names in the previous steps (e.g. firstName, groups,…).
The next screen allows mapping existing (local) TrendMiner users to the SAML provider. The SAML username should correspond to the value returned by the IdP in the Subject-NameID tags. TrendMiner requests the NameId in the following format:
"urn:oasis:names:tc:SAML:2.0:nameid-format:persistent".
After creating the identity provider in ConfigHub it is time to download the metadata file and go back to the identity provider.
Go back to the "Identity Providers" tab in the "Security" section in ConfigHub. You should be able to see your created provider listed.
Click on your newly created provider. A side panel will pop open.
Click the options-button.
Click the download Metadata button. This metadata file contains the remaining configuration on the IdP side.
Complete the identity provider configuration as explained in the next section.
SAML - Configure Entra (Azure AD) - Part 2
Now that we have the metadata file from TrendMiner (as generated in the previous step), we can proceed with finalizing the configuration on the IdP side.
Navigate in Entra ID to your SAML application and open the "Single sign-on"-tab.
Click the "Upload metadata file" and upload the TrendMiner metadata file. This will fill out the required information where we placed placeholders in the first step.
Check the entries - It might be necessary to fill in the Reply URL yourself. This is the same value as Logout URL.
The SAML setup is complete and you should be able to login in TrendMiner. After logging in with a SAML user in TrendMiner the assigned groups should be synced and ACLs can be configured.