SAML authentication

Security Assertion Markup Language (SAML) can be used for external authentication of users for both the Deephaven Web interface and the Deephaven Classic (Java/Swing) interface.

SAML is an open standard whereby third-party Identity Providers such as Google, Okta, OneLogin, and others, can validate the identity of a user requesting to log on to a Deephaven system. The main benefits of SAML authentication are single sign-on to multiple services, including Deephaven, and the possibility to manage various forms of two-factor authentication.

There are two systems involved in authentication using SAML: the Identity Provider (IdP) and the Service Provider (SP). The Identity Provider is responsible for authenticating a user and providing evidence of that user's identity in the form of a SAML assertion. Google, Okta, and other accounts management solutions that support SAML 2.0 can act as Identity Providers for Deephaven. The other side of the configuration is the Service Provider, which makes services available to authenticated users. In the context of this document, the Service Provider is the Deephaven installation, with the Service Provider endpoint being a component of the Deephaven authentication server.

Note

The authenticated user is the user that authenticated to the system to initiate the operation. The effective user is the user that Deephaven enforces permission checks for.

A simple example is the "Operate as" login, where the user who logs in (via password, SAML, etc.) is the Authenticated User, and the user they are operating as is the Effective User.

A diagram showing how Deephaven interacts with SAML

Both systems need to be configured for SAML authentication: the Identity Provider so it will accept authentication requests and return responses in the expected format from the specific Service Provider installation, and the Service Provider so it will know what Identity Provider instance to work with and will trust assertions received from it.

Once both systems are properly configured, users attempting to log in to Deephaven can choose to authenticate with the external Identity Provider. If they do so, they will be redirected to a login process managed by the Identity Provider. Upon completion of that process, the result will be sent as a SAML-formatted assertion message to the Deephaven authentication server. If the login was successful, the authentication server will grant the user the rights associated with the user name indicated in the assertion.

For a user to access Deephaven with SAML authentication, the Identity Provider administrator must create a login in the Identity Provider system and then grant the user access to the Deephaven application there. In addition, a Deephaven administrator must create a Deephaven login to match the user's Identity Provider login name, and grant the user's Deephaven account any needed privileges with the Deephaven system.

Configure Deephaven to use SAML Authentication

To configure the authentication server to present the option of SAML authentication, two sets of properties need to be added to the iris-environment.prop properties: one for front-end configuration and one for server-level configuration.

Note

If the SAML Plugin had been previously installed, it must be deactivated to avoid potential conflicts. The following command will deactivate the plugin:

sudo -u risadmin /etc/sysconfig/deephaven/plugins/samlAuth/bin/deactivate.sh --classpath

Configure front-end

The front-end must also be configured to properly utilize the server-level module. The front-end configuration is defined within the following stanza in the iris-environment.prop file. These properties are used to enable the SAML login option within the Deephaven console and web UI:

[service.name=iris_console|interactive_console|web_api_service|configuration_server] {
    ####################################################################################################################
    # Enable SAML-Auth LoginPanel at Client-level.
    # Must be set if SAML is intended as an authentication mechanism in the swing console.
    authentication.client.customlogin.class.SAMLAuth = com.illumon.iris.console.utils.AuthenticationSAMLLoginMethodPanel

    ####################################################################################################################
    # Identify the priority of the SAML-Auth LoginPanel in the case that multiple panels exist. A class with no
    # priority listed will be treated as 'last'; only one such class may exist. The lowest numbers will be listed
    # first in the login-method drop-down.
    authentication.client.custlogin.priority.SAMLAuth = 1

    ####################################################################################################################
    # Identifies the internal URL (which the Deephaven login screen links to) that redirects to the Identity Provider,
    # which may be determined by the "authentication.samlauth.jetty.port", "authentication.samlauth.jetty.context", and
    # "authentication.samlauth.jetty.dologin" properties in the authentication_server section.
    # The example below assumes default values at the server-side.
    authentication.client.samlauth.login.url = <URL of the Deephaven authentication server system>:9032/dh-saml/

    ####################################################################################################################
    # The name of this IdP, which will be seen within the front-end login screen; "Google", "Okta", "RSA", etc. If not
    # set, will default to "SAML"
    authentication.client.samlauth.provider.name=<your_provider; e.g.,Okta>

    ####################################################################################################################
    # A list of properties required for the web front-end to enable SAML authentication. This is required only for web
    # login access; the Java client will work without this setting.
    authentication.client.configuration.list=authentication.client.samlauth.provider.name,authentication.client.samlauth.login.url,authentication.client.customlogin.class.SAMLAuth

    ####################################################################################################################
    # Authentication Server-list must be set, with at least one of the specified addresses being a server that is
    # listening for SAML-authentication on the URL identified by "authentication.client.samlauth.login.url". This
    # property is used by all authentication methods.
    # Typically, this is set in iris-endpoints.prop and does not need to be changed as part of configuring SAML.
    #authentication.server.list = ${host1}[,${host2}[,${host3}...]]
}

Enable SAML-based auth requests

The second set is to enable the authentication server to accept and handle SAML-based authentication requests. This set of properties should be added to the authentication server stanza:

[service.name=authentication_server] {
    ####################################################################################################################
    # Enable SAML auth at server level. Custom auth modules must be enabled.
    authentication.server.customauth.enabled = true
    # Configure the authentication server to look for the saml module's fully-qualified class name:
    authentication.server.customauth.class.SAMLAuth = io.deephaven.enterprise.samlauth.SAMLAuthModule
    # If there are multiple authentication mechanisms, such as SAML and SSH, the priority property defines
    # which is attempted first by the server, with the lowest value being attempted first.
    authentication.server.customauth.priority.SAMLAuth = 0

    ####################################################################################################################
    # Use the WebServices keystore for TLS configuration, which is used for browser-level communication.
    # If the authentication server is on the same host as the web API service, then the webServices keystore can be used.
    SAMLAuth.tls.keystore=/etc/sysconfig/illumon.d/auth-user/webServices-keystore.p12
    SAMLAuth.tls.passphrase.file=/etc/sysconfig/illumon.d/auth-user/.webapi_passphrase

    ####################################################################################################################
    # Service Provider Data that we are deploying.
    # The following properties must match the values defined with the Identity Provider (IdP).

    # The default entity ID is "deephaven:iris:saml:sp".
    #authentication.samlauth.sp.entityid = deephaven:iris:saml:sp
    # The URL of the assertion-consumer. Must be shared with the IdP; on successful authentication,
    # the IdP will redirect the browser to this URL.
    authentication.samlauth.sp.assertion_consumer_service.url = <URL of the Deephaven authentication server system>:9032/dh-saml/acs
    #authentication.samlauth.sp.assertion_consumer_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
    #authentication.samlauth.sp.nameidformat = urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

    # If we are encrypting our outbound traffic, the public-cert and private-key must be set -- either directly in this
    # file (not recommended), or from flat-files on disk.
    #authentication.samlauth.sp.x509cert.file =
    #authentication.samlauth.sp.x509cert =
    #authentication.samlauth.sp.privatekey.file =
    #authentication.samlauth.sp.privatekey =

    ####################################################################################################################
    # Identity Provider Data that we want to connect with our Service Provider.

    # The following must match properties defined by the IdP.
    authentication.samlauth.idp.entityid = <URL>
    authentication.samlauth.idp.single_sign_on_service.url = <URL>
    #authentication.samlauth.idp.single_sign_on_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect

    # The IdP public key may be entered directly into the configuration or may be loaded from a flat-file on disk
    authentication.samlauth.idp.x509cert.file = /etc/sysconfig/illumon.d/auth/{IdP-Cert-In-File}.pem
    #authentication.samlauth.idp.x509cert = -----BEGIN CERTIFICATE-----\n${IdP-Defined-Cert}\n-----END CERTIFICATE-----

    ####################################################################################################################
    # Organization
    #
    #authentication.samlauth.organization.name = Deephaven Client
    #authentication.samlauth.organization.displayname = Deephaven SAML-Auth Module
    #authentication.samlauth.organization.url = http://deephaven.io
    #authentication.samlauth.organization.lang =
    #authentication.samlauth.contacts.technical.given_name = Technical Support
    #authentication.samlauth.contacts.technical.email_address = technical@example.com
    # The following entries will appear on the login-failure screen.
    authentication.samlauth.contacts.support.given_name = <Contact name to display in case of SSO authentication failure>
    authentication.samlauth.contacts.support.email_address = <Contact email to display in case of SSO authentication failure>support@example.com
}

When SAML is configured, the Deephaven login screen will look similar to the following:

The Deephaven login screen

Example configuration

The Deephaven SAML integration leverages the OneLogin java-saml toolkit. For additional details on the available properties, see the OneLogin Java-SAML Toolkit Configuration. Please note that the "onelogin.saml." properties required by this toolkit are identified in Deephaven as "authentication.samlauth."; these properties will be copied to the appropriate property-names during startup.

Minimal Okta-IdP Example

[service.name=authentication_server] {
    ####################################################################################################################
    # Enable the module within the auth-server. The server where this is defined must be targeted in the console-level
    # configuration's "authentication.server.list"
    authentication.server.customauth.enabled = true
    authentication.server.customauth.class.SAMLAuth = io.deephaven.enterprise.samlauth.SAMLAuthModule
    authentication.server.customauth.priority.SAMLAuth = 0

    ####################################################################################################################
    # Use the WebServices keystore for browser-level TLS
    SAMLAuth.tls.keystore=/etc/sysconfig/illumon.d/auth-user/webServices-keystore.p12
    SAMLAuth.tls.passphrase.file=/etc/sysconfig/illumon.d/auth-user/.webapi_passphrase

    ####################################################################################################################
    # Permit end-of-authentication browser redirection to the WebService url
    authentication.samlauth.jetty.redirect.list = https://XXXXXXXXXXXX:8123/iriside/*

    ####################################################################################################################
    # Okta requires us to define an application-specific user-name for each user. Each user should be configured at the
    # IdP level as a valid Deephaven user name; no special attribute is required
    #authentication.samlauth.nameattribute = NameID

    ####################################################################################################################
    # Service Provider Data that we are deploying; note that these must also be configured within the IdP (Okta)
    #
    #authentication.samlauth.sp.entityid = deephaven:iris:saml:sp
    authentication.samlauth.sp.assertion_consumer_service.url = https://XXXXXXXXXXXX:9032/dh-saml/acs

    ####################################################################################################################
    # Identity Provider Data that we are using (Okta); these values are determined by the IdP
    #
    authentication.samlauth.idp.entityid = http://www.okta.com/XXXXXXXXXXXX
    authentication.samlauth.idp.single_sign_on_service.url = https://ZZZZZZZZ.okta.com/app/YYYYYYYY/XXXXXXXXXXXX/sso/saml
    authentication.samlauth.idp.x509cert.file = /etc/sysconfig/illumon.d/auth/okta.cert
    #authentication.samlauth.idp.x509cert = -----BEGIN CERTIFICATE-----\nXXXXXXXXXXXXXXXX\n-----END CERTIFICATE-----

    ####################################################################################################################
    # Information to help users with troubleshooting
    #
    authentication.samlauth.contacts.support.given_name = Support Group
    authentication.samlauth.contacts.support.email_address = support@XXXXXXXX.com
    ####################################################################################################################
}

Minimal Google-IdP Example

[service.name=authentication_server] {
    ####################################################################################################################
    # Enable the module within the auth-server. The server where this is defines must be targeted in the console-level
    # configuration's "authentication.server.list"
    authentication.server.customauth.enabled = true
    authentication.server.customauth.class.SAMLAuth = io.deephaven.enterprise.samlauth.SAMLAuthModule
    authentication.server.customauth.priority.SAMLAuth = 0

    ####################################################################################################################
    # Use the WebServices keystore for browser-level TLS
    SAMLAuth.tls.keystore=/etc/sysconfig/illumon.d/auth-user/webServices-keystore.p12
    SAMLAuth.tls.passphrase.file=/etc/sysconfig/illumon.d/auth-user/.webapi_passphrase

    ####################################################################################################################
    # Permit end-of-authentication browser redirection to the WebService url
    authentication.samlauth.jetty.redirect.list = https://XXXXXXXXXXXX:8123/iriside/*

    ####################################################################################################################
    # This value must be set for each valid user within the IdP. If not set, the email address known to Google will be
    # used, which must match the Deephaven user name for a successful login.
    authentication.samlauth.nameattribute = XXXXXXXX

    ####################################################################################################################
    # Service Provider Data that we are deploying; note that these must also be configured within the IdP (Google)
    #
    #authentication.samlauth.sp.entityid = deephaven:iris:saml:sp
    authentication.samlauth.sp.assertion_consumer_service.url = https://XXXXXXXXXXXX:9032/dh-saml/acs

    ####################################################################################################################
    # Identity Provider Data that we are using (Google); these values are determined by the IdP
    #
    authentication.samlauth.idp.entityid = https://accounts.google.com/o/saml2?idpid=XXXXXXXXX
    authentication.samlauth.idp.single_sign_on_service.url = https://accounts.google.com/o/saml2/idp?idpid=XXXXXXXXX
    authentication.samlauth.idp.x509cert.file = /etc/sysconfig/illumon.d/auth/GoogleIDPCertificate-XXXXXXXX.pem
    #authentication.samlauth.idp.x509cert = -----BEGIN CERTIFICATE-----\nXXXXXXXXXXXXXXXX\n-----END CERTIFICATE-----

    ####################################################################################################################
    # Information to help users with troubleshooting
    #
    authentication.samlauth.contacts.support.given_name = Support Group
    authentication.samlauth.contacts.support.email_address = support@XXXXXXXX.com
    ####################################################################################################################
}

Additional Settings

The previous sections provide minimal configurations for integrating with some common public identity providers. Many more settings are available, which we detail here:

[service.name=authentication_server] {
    ####################################################################################################################
    # Enable SAML auth at server level. Custom auth modules must be enabled.
    authentication.server.customauth.enabled = true
    # Configure the authentication server to look for the module's fully-qualified class name:
    authentication.server.customauth.class.SAMLAuth = io.deephaven.enterprise.samlauth.SAMLAuthModule
    # If there are multiple authentication mechanisms, such as SAML and SSH, the priority property defines
    # which is attempted first by the server, with the lowest value being attempted first.
    authentication.server.customauth.priority.SAMLAuth = 0

    ####################################################################################################################
    # Use the WebServices keystore for TLS configuration, which is used for browser-level communication.
    # If the authentication server is on the same host as the web API service, then the webServices keystore can be used.
    SAMLAuth.tls.keystore=/etc/sysconfig/illumon.d/auth-user/webServices-keystore.p12
    SAMLAuth.tls.passphrase.file=/etc/sysconfig/illumon.d/auth-user/.webapi_passphrase

    ####################################################################################################################
    # The following properties define the http/https server configuration, including protocol, port, and URLs for
    # the server. The resultant URL(s) should be configured within the SAML IdP. The options below list the default
    # values, which this configuration may override as required.
    #authentication.samlauth.jetty.https = true
    #authentication.samlauth.jetty.port = 9032
    #authentication.samlauth.jetty.context = /dh-saml
    #authentication.samlauth.jetty.dologon =
    #authentication.samlauth.jetty.onlogon = acs

    ####################################################################################################################
    # This property identifies a landing-page on successful IdP response. By default, a small "success" page is
    # dynamically generated, which will attempt to close the browser (tab) instance. This will usually not work, but
    # the administrator has the ability to redirect this to a more meaningful page, such as the latest system docs.
    # Note that this property may be superseded by a client-level redirection-request which is permitted by the
    # "authentication.samlauth.jetty.redirect.list" property below.
    #authentication.samlauth.jetty.onsuccess = https://docs.deephaven.io/latest/Content/index.htm

    ####################################################################################################################
    # This property defines a list of URLs to which client front-end applications may request redirection via URL
    # parameter ("?...&redirect=${url}"). Any client requesting end-of-authentication redirection to a URL which is not
    # in this list will be rejected prior to IdP-redirection. Note that the above `onsuccess' property does not need to
    # be included in this list, since it is server-level-configuration-defined. A URL within the list ending with "/*"
    # permits redirection to any sub-path of the provided URL.
    # The property may be broken out to multiple properties for readability purposes. Any property which starts with the
    # name "authentication.samlauth.jetty.redirect." will be included in the list of permitted URLs.
    #authentication.samlauth.jetty.redirect.list = ${comma-separated url-list}

    ####################################################################################################################
    # The following property identifies a default number of milliseconds before a SAML IdP token is timed-out in the
    # case that no usable timeout is received from the IdP. Default time is 60s.
    #authentication.samlauth.tokentimeoutmillis = 60000

    ####################################################################################################################
    # This identifies the number of milliseconds that the saml-module will block on the auth-server request for an
    # "external-auth" response. This is the maximum amount of time we will wait for a client to successfully register
    # with an IdP. In the case that 2FA is used, it may be necessary to increase this to an amount of time in which a
    # user may perform the second-level of authentication. In many cases, the IdP will already "know" the requesting
    # user, at which point the actual delay will be sub-second. Note that each request will consume a thread on the
    # auth-server for a maximum of this time. Default time is 60s.
    #authentication.samlauth.waitforusertimeoutMillis = 60000

    ####################################################################################################################
    # Identifies if the following fields are set in the SAML AuthnRequest message. Default values are as listed.
    #
    # When forceAuthn is set to true, then the identity provider requires the user to reauthenticate; even if
    # they already have a valid session.  When forceAuthn is set to false, the identity provider may reuse a valid
    # session, and not require explicit authentication.
    #
    #authentication.samlauth.login.forceAuthn = true
    #authentication.samlauth.login.isPassive = false
    #authentication.samlauth.login.setNameIdPolicy = false

    ####################################################################################################################
    # Defines the SAML attribute which shall be used as the iris-id. If no attribute is specified, the SAML 'NameID'
    # will be used.
    #authentication.samlauth.nameattribute = IrisUser

    ####################################################################################################################
    # URL to an appropriate stylesheet for failure message and default landing-page.
    #authentication.samlauth.stylesheet.url = ${Stylesheet-URL}

    ####################################################################################################################
    #
    # The following properties are used to configure the OneLogin Toolkit. The value for each "authentication.samlauth.*"
    # property is applied to the corresponding "onelogin.saml2.*" property.
    # Most of these properties do not need to be explicitly defined as they have reasonable defaults defined within the toolkit.
    #
    ####################################################################################################################
    #authentication.samlauth.strict = true
    #authentication.samlauth.unique_id_prefix = DEEPHAVEN_

    ####################################################################################################################
    # Service Provider Data that we are deploying.
    # The following properties must match the values defined with the Identity Provider (IdP).

    # The default entity ID is "deephaven:iris:saml:sp".
    #authentication.samlauth.sp.entityid = deephaven:iris:saml:sp
    # The URL of the assertion-consumer. Must be shared with the IdP; on successful authentication,
    # the IdP will redirect the browser to this URL.
    authentication.samlauth.sp.assertion_consumer_service.url = <URL of the Deephaven authentication server system>:9032/dh-saml/acs
    #authentication.samlauth.sp.assertion_consumer_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
    #authentication.samlauth.sp.nameidformat = urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

    # If we are encrypting our outbound traffic, the public-cert and private-key must be set -- either directly in this
    # file (not recommended), or from flat-files on disk.
    #authentication.samlauth.sp.x509cert.file =
    #authentication.samlauth.sp.x509cert =
    #authentication.samlauth.sp.privatekey.file =
    #authentication.samlauth.sp.privatekey =

    ####################################################################################################################
    # Identity Provider Data that we want to connect with our Service Provider.

    # The following must match properties defined by the IdP.
    authentication.samlauth.idp.entityid = <URL>
    authentication.samlauth.idp.single_sign_on_service.url = <URL>
    #authentication.samlauth.idp.single_sign_on_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect

    # The IdP public key may be entered directly into the configuration or may be loaded from a flat-file on disk
    authentication.samlauth.idp.x509cert.file = /etc/sysconfig/illumon.d/auth/{IdP-Cert-In-File}.pem
    #authentication.samlauth.idp.x509cert = -----BEGIN CERTIFICATE-----\n${IdP-Defined-Cert}\n-----END CERTIFICATE-----


    ####################################################################################################################
    # Security settings
    #
    #authentication.samlauth.security.nameid_encrypted = false
    #authentication.samlauth.security.authnrequest_signed = false
    #authentication.samlauth.security.logoutrequest_signed = false
    #authentication.samlauth.security.logoutresponse_signed = false
    #authentication.samlauth.security.want_messages_signed = false
    #authentication.samlauth.security.want_assertions_signed = false
    #authentication.samlauth.security.sign_metadata =
    #authentication.samlauth.security.want_assertions_encrypted = false
    #authentication.samlauth.security.want_nameid_encrypted = false
    #authentication.samlauth.security.requested_authncontext = urn:oasis:names:tc:SAML:2.0:ac:classes:Password
    #authentication.samlauth.security.requested_authncontextcomparison = exact
    #authentication.samlauth.security.want_xml_validation = true
    #authentication.samlauth.security.signature_algorithm = http://www.w3.org/2001/04/xmldsig-more#rsa-sha256

    ####################################################################################################################
    # Organization
    #
    #authentication.samlauth.organization.name = Deephaven Client
    #authentication.samlauth.organization.displayname = Deephaven SAML-Auth Module
    #authentication.samlauth.organization.url = http://deephaven.io
    #authentication.samlauth.organization.lang =
    #authentication.samlauth.contacts.technical.given_name = Technical Support
    #authentication.samlauth.contacts.technical.email_address = technical@example.com
    # The following entries will appear on the login-failure screen.
    authentication.samlauth.contacts.support.given_name = <Contact name to display in case of SSO authentication failure>
    authentication.samlauth.contacts.support.email_address = <Contact email to display in case of SSO authentication failure>support@example.com
}

SAML over Envoy

Once the Envoy Proxy is properly configured on the system, it is possible to use SAML authentication through the proxy by leveraging Extra Envoy XDS routes. In addition to changing the target port from 9032 to the appropriate envoy port in all of the above properties, it is also required that the IdP's ACS be redirected to the Envoy port. That is, the IdP should always be configured to use the URL identified by authentication.samlauth.sp.assertion_consumer_service.url. The following should be added to the configuration so that appropriate routing is done for the SAML URLs.

# initial login-request needs to be properly routed to the SAML service so that it may be redirect to the IdP
envoy.xds.extra.routes.saml-launch.host=<Hostname of Deephaven authentication server>
envoy.xds.extra.routes.saml-launch.port=9032
envoy.xds.extra.routes.saml-launch.prefix=/dh-saml
envoy.xds.extra.routes.saml-launch.prefixRewrite=/dh-saml/
envoy.xds.extra.routes.saml-launch.tls=true

# upon successful login to the IdP, the login assertion will be sent to envoy; this needs to be forwarded to the actual ACS
envoy.xds.extra.routes.saml-acs.host=<Hostname of Deephaven authentication server>
envoy.xds.extra.routes.saml-acs.port=9032
envoy.xds.extra.routes.saml-acs.prefix=/dh-saml/acs
envoy.xds.extra.routes.saml-acs.prefixRewrite=/dh-saml/acs
envoy.xds.extra.routes.saml-acs.tls=true
# the following line ensures that a trailing "/" is not appended to the URL by the proxy
envoy.xds.extra.routes.saml-acs.exactPrefix=true

# route static resources (css and images) in the login success/failure pages
envoy.xds.extra.routes.saml-static.host=<Hostname of Deephaven authentication server>
envoy.xds.extra.routes.saml-static.port=9032
envoy.xds.extra.routes.saml-static.prefix=/static/
envoy.xds.extra.routes.saml-static.prefixRewrite=/static/
envoy.xds.extra.routes.saml-static.tls=true

Multiple Deephaven Instances with one Identity Provider

In the case that multiple Deephaven instances authenticate as a single application within a single IdP, the host identified by the IdP as the SP can be able to redirect the traffic to the originating Deephaven instance by leveraging the RelayState. This architecture requires that the host defined as the SP be available and have an authentication server with the SAML authentication module configured. The following non-standard configuration settings are required for the SAML message to be successfully processed by the originating authentication server;

[service.name=authentication_server] {
    ####################################################################################################################
    # Permit the ACS-URL to be different than the URL defined by this auth-server instance.
    #
    authentication.samlauth.strict = false

    ####################################################################################################################
    # Service Provider Data that we are deploying; this MUST match the SP defined at the IdP, and NOT reflect the host
    # on which this auth-server instance is running. The URL (specifically host) will not match the URL identified in
    # the "authentication.client.samlauth.login.url" property of the console section
    #
    authentication.samlauth.sp.assertion_consumer_service.url = https://XXXXXXXXXXXX:9032/dh-saml/acs
}

Group Synchronization

SAML Identity providers can be configured to include a list of groups in the identity assertion that is sent to Deephaven. To configure Deephaven to read the group attributes, set the authentication.samlauth.groupsattribute to the name of the group attribute. When this property is set, the Deephaven compares the groups from the identity assertion with the groups currently configured for the user in Deephaven. If the user does not exist in the Deephaven ACL database, then the user is created. All Deephaven users are added to two groups: (1) "allusers" and (2) a group that matches their username. Without any additional configuration, Deephaven assumes that the group names from the identity provider are identical to those in the Deephaven system.

A set of properties containing a comma-separated list of group names allows you control over how groups are synchronized:

Groups that are in the authentication.samlauth.sync.ignoregroups.idp list are ignored when adding new groups to the Deephaven user. For example, you may want to exclude an "Everyone" group that is included by default with your provider (as Deephaven already includes an "allusers" group).
Groups that are in the authentication.samlauth.sync.ignoregroups.dh list are not deleted by Deephaven. This allows you to have some groups that are managed solely within Deephaven.
Each identity provider group can be mapped to one or more Deephaven groups with properties of the form authentication.samlauth.sync.mapgroup.<idp group name>=<dh group name>. This permits you to map identity provider groups to special Deephaven groups like "iris-acleditors" or "iris-superusers".

Note

Consult the documentation of your Identity provider to configure sending group information.

Okta

Disabling password authentication

After enabling SAML authentication, password authentication may be disabled by setting the following property in iris-environment.prop and restarting the authentication server:

authentication.passwordsEnabled=false

When set to false, the authentication server does not accept any password authentication. You must use alternative methods like SAML or Deephaven challenge response authentication with private keys.

The password authentication option on the web front-end may be removed by adding the following property into the existing client configuration list and reloading the web API service:

authentication.client.configuration.list=authentication.passwordsEnabled,...

The password authentication panel may be removed from the Swing front-end by adding the following property and reloading the web API service:

authentication.client.disablePasswordAuth=true

Other references

Okta Knowledge Base Article on forceAuthn

SAML authentication

Configure Deephaven to use SAML Authentication

Configure front-end

Enable SAML-based auth requests

Example configuration

Minimal Okta-IdP Example

Minimal Google-IdP Example

Additional Settings

SAML over Envoy

Multiple Deephaven Instances with one Identity Provider

Group Synchronization

Disabling password authentication

Related documentation

Other references