Verify user authentication by Single sign-on in Pentaho+ (Okta , Gluu)
Single sign-on in Pentaho+ can be achieved using the following steps
Prerequisite:
- Install a Pentaho+ server
- Downloaded either Okta or gluu
- Build your own SAML Plugin Karaf Assembly (pentaho-saml-sample.kar file), logout.jsp, and applicationContext-spring-security-saml.xml.
- Place the pentaho-saml-sample.kar file in the $PENTAHO_HOME/pentaho-server/pentaho-solutions/system/karaf/deploy/ folder.
- Once the plugin is installed, the $PENTAHO_HOME/server/pentaho-server/pentaho-solutions/system/karaf/etc/pentaho.saml.cfg configuration file will be created.
- Shutdown the BA Server.
- Build logout.jsp file and copy logout.jsp into the $PENTAHO_HOME/server/pentaho-server/tomcat/webapps/pentaho/ folder.
- Build applicationContext-spring-security-saml.xml file and copy applicationContext-spring-security-saml.xml into the $PENTAHO_HOME/server/pentaho-server/pentaho-solutions/system/applicationContext-spring-security-saml.xml.
Create a SAML Assertion Signing (and Encryption) Certificate and Keystore
- Create a $PENTAHO_HOME/server/pentaho-server/saml/ folder
- Open a terminal or command prompt, and make the newly created folder your working directory:
cd $PENTAHO_HOME/server/pentaho-server/saml
- Run the keytool command to generate a self-signed certificate. You may also obtain a signed certificate from a certificate authority if you wish. Ensure that the certificate uses a hash algorithm supported by your IdP.
$PENTAHO_JAVA_HOME/bin/keytool -genkey -alias saml -keystore $PENTAHO_HOME/server/pentaho-server/saml/saml.keystore.jks -storepass changeit -keyalg RSA -keypass changeit
Configure SSL Certificate to Tomcat Server
- Open the Tomcat $PENTAHO_HOME/server/pentaho-server/tomcat/conf/server.xml file.
- Locate the connector you want the new Keystore to secure i.e.
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" keyAlias="saml" keystoreFile="$PENTAHO_HOME/server/pentaho-server/saml/saml.keystore.jks" keystorePass="changeit" clientAuth="false" sslProtocol="TLS" />
Configure SSL Certificate to Pentaho+ Server
- Change to the home directory of the user account that starts the Pentaho Plus Server and User Console processes or services.
- Execute the following command, changing the storepass (password in the example) and keypass (password in the example) accordingly
$ keytool -export -alias saml -file saml.cer -storepass changeit -keypass changeit -keystore $PENTAHO_HOME/server/pentaho-server/saml/saml.keystore.jks
- Change to the $PENTAHO_JAVA_HOME/lib/security/ directory
$ cd $PENTAHO_JAVA_HOME/lib/security/
- Execute the following command, changing the alias (servercert in the example), the file path to the certificate (the current user’s home directory in the example), and the storepass (password in the example) accordingly
$ keytool -import -alias saml -file $PENTAHO_HOME/server/pentaho-server/saml/saml.cer -keystore cacerts -storepass changeit
- Execute the following command and make note of the MD5 sum for the Tomcat entry:
$ keytool -list -keystore cacerts
- Change back to the home directory of the user account that starts the Pentaho+ Server and User Console, and run this command
keytool -list -keystore keystore.jks
- Then try to connect with SSL URL i.e. https://localhost:8443/pentaho. It must connect.
Prepare the Pentaho Plus Service Provider Metadata XML File
- Copy the text below into a unix formatted file called pentaho-sp.xml
<?xml version=”1.0″ encoding=”UTF-8″?> <md:EntityDescriptor xmlns:md=”urn:oasis:names:tc:SAML:2.0:metadata” ID=”pentaho” entityID=”pentaho”> <md:SPSSODescriptor AuthnRequestsSigned=”true” WantAssertionsSigned=”false” protocolSupportEnumeration=”urn:oasis:names:tc:SAML:2.0:protocol”> <md:KeyDescriptor use=”signing”> <ds:KeyInfo xmlns:ds=”http://www.w3.org/2000/09/xmldsig#”> <ds:X509Data> <ds:X509Certificate><!– REPLACE COMMENT WITH BASE64 SIGNING CERTIFICATE –></ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <md:KeyDescriptor use=”encryption”> <ds:KeyInfo xmlns:ds=”http://www.w3.org/2000/09/xmldsig#”> <ds:X509Data> <ds:X509Certificate><!– REPLACE COMMENT WITH BASE64 ENCRYPTION CERTIFICATE –></ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat> <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat> <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat> <!– MODIFY LOCATION ATTRIBUTES WITH PROTOCOL, DOMAIN, and PORT –> <md:SingleLogoutService Binding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST” Location=”https://localhost:8443/pentaho/saml/SingleLogout”/> <md:SingleLogoutService Binding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect” Location=”https://localhost:8443/pentaho/saml/SingleLogout”/> <md:AssertionConsumerService Binding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST” Location=”https://localhost:8443/pentaho/saml/SSO” index=”0″ isDefault=”true”/> <md:AssertionConsumerService Binding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact” Location=”https://localhost:8443/pentaho/saml/SSO" index=”1″/> </md:SPSSODescriptor> </md:EntityDescriptor>
- Move or copy your SP metadata file to $PENTAHO_HOME/server/pentaho-server/saml/pentaho-sp.xml
- Locate the XML tag entries for “<md:SingleLogoutService>” and “<md:AssertionConsumerService>,” and replace the values of the “Location” attribute (bolded in blue above) with the appropriate protocol (http/https), domain name, and port that the BA Server is running on.
- Export the contents of your saml signing (and additional encryption certificate if you generated one) certificate to a base64 representation using the following keytool command:
$PENTAHO_JAVA_HOME/bin/keytool -exportcert -keystore $PENTAHO_HOME/server/pentaho-server/saml/saml.keystore.jks -storepass changeit -alias saml -rfc
- The command in the previous step should print out the certificate data, which looks like:
—–BEGIN CERTIFICATE—- CERTIFICATE DATA PAYLOAD —–END CERTIFICATE—–
- Copy the content of the certificate data payload (not the begin or end line) into the appropriate “<ds:X509Certificate>” entry tag.
- Upload the saml idp to gluu or okta.
- Export the Signing Certificate
- Execute the following command to place the signing public key in a cer file:
$PENTAHO_JAVA_HOME/bin/keytool -exportcert -keystore $PENTAHO_HOME/server/pentaho-server/saml/saml.keystore.jks -storepass changeit -alias saml –rfc > $PENTAHO_HOME/server/pentaho-server/saml/saml.signing.cert.cer
- Upload IDP in OKTA:Click the “Identity Provider metadata” hyperlink(Recommended in chrome), which will redirect to a new page. Copy the link of the page and paste it in the first line of the page,
<EntityDescriptor ID=”…” entityID=”page url “ xmlns=
Copy the all the contents in the page to new file as $PENTAHO_HOME/server/pentaho-server//saml/okta-idp.xml - Upload IDP in GLUU:Click the “Identity Provider metadata” hyperlink(Recommended in chrome), which will redirect to a new page. Copy the link of the page and paste it in the first line of the page,
- <EntityDescriptor ID=”…” entityID=”page url/IDP/SHIBBOLETH “ xmlns= Copy the all the contents in the page to new file as $PENTAHO_HOME/server/pentaho-server//saml/gluu-idp.xml
Configure the pentaho.saml.cfg File
At this point, there is a saml folder with an IdP metadata xml file, the Pentaho SP metadata xml file, and a saml keystore with the signing certificate (and possibly separate encryption certificate). When editing the pentaho.saml.cfg file, please note that absolute paths (no variables) must be listed in the file.
1. Shut down the BA Server if it is running
2. Open the $PENTAHO_HOME/server/pentaho-server/pentaho-solutions/system/karaf/etc/pentaho.saml.cfg file for editing.
Setting IdP Properties
Comment the entries for saml.idp.metadata.url and saml.idp.metadata.classpath if they are uncommented
Uncomment the entry for saml.idp.metadata.filesystem if it is commented
Change the value (after the equal sign) to the path of your IdP metadata XML file:
saml.idp.metadata.filesystem= $PENTAHO_HOME/server/pentaho-server/saml/saml-idp.xml
You will also need to set the saml.idp.url property, which is used to select the proper EntityDescriptor from the referenced saml-idp.xml file.
- Open $PENTAHO_HOME/server/pentaho-server/saml/saml-idp.xml
- Locate the “<EntityDescriptor>” tag, and copy the value of the “entityId” attribute:
<EntityDescriptor ID=”…” entityID=”http://the-idp-url “ xmlns= - In pentaho.saml.cfg, set the value of the saml.idp.url property to the copied value
saml.idp.url=http://the-idp-url
Setting SP Properties
Similar to the IdP settings, there are three ways to specify the Service Provider document. Choose from URL, filesystem, or classpath using the saml.sp.metadata.url, saml.sp.metadata.filesystem, or saml.sp.metadata.classpath properties. This example will use the filesystem, since earlier instructions directed you to save the pentaho-sp.xml file.
1. Comment out the entries (prefix the line with “#”) for saml.sp.metadata.url and saml.sp.metadata.classpath if they’re uncommented
2. Uncomment the line for saml.sp.metadata.filesystem if it is commented
3. Change the value of the saml.sp.metadata.filesystem to:
saml.sp.metdata.filesystem=$PENTAHO_HOME/server/pentaho-server/saml/pentaho-sp.xml
The other property that is configurable for the Service Provider is saml.sp.metadata.entityId. It has a case sensitive value that defaults to “pentaho”. Editing this value is not recommended. The value has to match the entityId in the SP metadata XML file and the party trust configured in the IdP.
Setting the Keystore Properties
1. Comment the saml.keystore.url and saml.keystore.classpath properties with “#” if they are
uncommented
2. Uncomment saml.keystore.filesystem if it is commented with “#”
3. Change the value of saml.keystore.filesystem to:
saml.keystore.filesystem=$PENTAHO_HOME/server/pentaho-server/saml/saml.keystore.jks
4. Locate the saml.keystore.default.key property, and change it to match the alias of your saml signing certificate. The path setup before referenced a self-signed certificate aliased as “saml,” which would be configured as:
saml.keystore.default.key=saml
5. Locate and set the keystore password with the saml.keystore.password property. This should match the password used as the –storepass argument when you obtained a SAML signing certificate in the “Create a SAML Assertion Signing (and Encryption) Certificate and Keystore” section of this document.
saml.keystore.password=changeit
6. If any of your certificate private key passwords include the colon “:” character, change the
saml.username.password.delimiter.char
property to a valid delimiter character not included in any of the key passwords.
7. Provide a comma separated list of username<delimeter>password to allow the Pentaho+ SAML plugin to read private keys in the saml.keystore.private.username.passwords property:
saml.keystore.private.username.passwords=saml:changeit
Enable the SAML Plugin
1. Shut down the BA Server if it is running
2. Open $PENTAHO_HOME/server/pentaho-server/pentaho-solutions/system/pentaho-spring-beans.xml for editing
3. Locate the line containing “<import resource=”applicationContext-spring-security-jdbc.xml” />” and add the following line below it:
<import resource=”applicationContext-spring-security-saml.xml” />
4. Save and close the file
5. Open $PENTAHO_HOME/server/pentaho-server/pentaho-solutions/system/security.properties for editing
6. Change the provider on the first line to “saml”. Once completed, the line will read:
provider=saml
7. Save and close the file.
Make sure you have added the users to database.
Now connect to the url https://localhost:8443/pentaho.