Documentation Portal

SAML

TrendMiner also supports switching to authentication by an external identity provider over SAML 2.0.

Note

Once SAML has been configured it is not possible to switch back to local user management. TrendMiner local accounts not mapped to an external account will be deleted.

Important

Take a backup before configuration. This allows reverting if necessary.

  1. Select 'Identity provider' in ConfigHub.

    IG_4_-SAML_1_1x.png
  2. Select the 'SAML' option and click ‘Next step’.

    IG_4_10-SAML_1_1x.png
  3. To allow rollback to the final non-SAML state, create a backup first, otherwise click ‘Next step’.

    IG_4_10-SAML_2_1x.png
  4. Self-signed certificates could be required to validate SAML metadata or assertions. This step provides a reminder about this. When self-signed certificates are required and they have not yet been uploaded, click ‘here’ to be redirected to the upload page.

    IG_4_10-SAML_3_1x.png
  5. Select ‘Browse files’.

    IG_4_10-SAML_5_1x.png
  6. Find and open the self-signed certificate file. Only certificates in the PEM format are accepted.

    IG_4_10-SAML_6_1x.png
  7. Click ‘Upload certificate’.

    IG_4_10-SAML_7_1x.png
  8. A green message ‘Certificate is uploaded’ will appear at the top.

    IG_4_10-SAML_8_1x.png
  9. Once all required self-signed certificate(s) have been uploaded, go back to ‘Identity provider’ under the ‘SECURITY’ menu to complete the rest of the SAML steps. Click ‘Next step’ to proceed.

    IG_4_10-SAML_9_1x.png
  10. Here, either skip this step or upload a custom certificate and a matching key.

    IG_4_10-SAML_10_1x.png

Configuration

The following attributes have to be configured to allow successful integration with an external SAML Identity Provider.

  • Entity base URL: The entity base URL defines the location of TrendMiner used in requests to the SAML identity provider. It should be:

    http(s)://<trendminer_address>/security where <trendminer_address> is the address users use to access TrendMiner.

  • Identity provider metadata: Upload an XML file containing the metadata provided by the SAML identity provider. The procedure to generate this is identity provider specific. An example for Okta is provided in this document.

  1. Fill in ‘Entity base URL’ .

    IG_4_10-SAML_11_1x.png
  2. Browse to the Identity Provider metadata XML file.

    IG_4_10-SAML_12_1x.png
  3. Open the Identity Provider metadata XML file.

    IG_4_10-SAML_13_1x.png
  4. Click 'Next step' to start migrating existing local users to SAML.

    IG_4_10-SAML_14_1x.png
  5. A green message ‘Connection successful’ will appear at the top, and a list of local TrendMiner accounts will appear.

    IG_4_10-SAML_15_1x.png
  6. Enter the corresponding SAML users. Users left blank will not be able to access their old data. Click 'Finish’ to complete the user mapping.

    IG_4_10-SAML_16_1x.png
  7. As a final confirmation, click ‘Yes, map users’.

    IG_4_10-SAML_17_1x.png
  8. Users authorized by the identity provider to access TrendMiner can now log in.

    IG_4_10-SAML_18_1x.png
  9. After logging in, the TrendMiner home page is displayed.

    IG_4_10-SAML_19_1x.png

Example: Generate SAML metadata in Okta

This example generates SAML metadata for a TrendMiner installation at http://tm-va158.trendminer.com/ in Okta.

  1. Login to Okta as admin, go to applications and click 'Add Application'.

    IG_4_10-SAML_20_1x.png
  2. Select 'Create New App'.

    IG_4_10-SAML_21_1x.png
  3. Select 'SAML 2.0'.

    IG_4_10-SAML_22_1x.png
  4. Define the application name and optionally a logo.

    IG_4_10-SAML_23_1x.png

Complete the SAML settings

TrendMiner provides two endpoints:

  • SAML Assertion Consumer Service: http(s)://<trendminer_address>/security/saml/SSO

  • Service Provider Entity ID: http(s)://<trendminer_address>/security/saml/metadata

The first endpoint is used by the identity provider to redirect the user after logging in. Okta, provides it as a ‘Single sign on URL’.

The second endpoint defines the SAML metadata of TrendMiner. This is the ‘Audience URI in’ Okta terminology.

  1. Click 'Next' at the bottom of the screen to continue.

    IG_4_10-SAML_24_1x.png
  2. Select 'I'm a software vendor. I'd like to integrate my app with Okta' and click 'Finish'.

    IG_4_10-SAML_25_1x.png
  3. Select the 'Sign On' tab and download the 'Identity Provider' metadata file.

    IG_4_10-SAML_26_1x.png
  4. Select the 'Assignments' tab. Assign access rights to all users and groups that need TrendMiner access.

    IG_4_10-SAML_27_1x.png
  5. Add username or group name and click ‘Save and Go Back’ to the 'Assignments' tab.

    IG_4_10-SAML_28_1x.png