Feature - SAML (planned for r46)

eramba · November 14, 2017, 10:43am

We need to let people authenticate with one more mechanism (on top of LDAP and local accounts): SAML

Under System / Settings we need a new option for “SAML Connectors”

When clicked there, the user can define one or more SAML connectors.

At System / Settings / Authentication we need to allow SAML authentication for: General Eramba Authentication (we will include later one Third Party Audits Portal Authentication).

Warning: user management will be handled as usual, local accounts must exist for SAML to authenticate. This issue goes back to Feature - Enabling two factor auth (no due date) by @mitchell_e_rowton and @ksaxena

https://github.com/eramba/eramba_v2/issues/459

eramba · December 1, 2017, 11:49am

Due a set of dependencies we have worked out Oauth authentication:

In order to work with SAML we need a testing SSO enviroment to work with, those of you that requested SAML can work with oauth too or need SAML?

Regards

bfailla · January 23, 2018, 5:17pm

Is there an update on SAML? We’re interested. It says planned for R46, but I don’t see it.

ef1 · January 24, 2018, 12:32pm

Hi!

We implemented a beta version of Google oauth in release 47. You Can find more details in the video posted in the release note : http://www.eramba.org/enterprise-update-47/

Let us know what do you think!
Thanks!

bjoern.rudner · April 11, 2018, 9:28am

I’m also very interested in using SAML as Login with our sso solution.

Are there any future plans on implementing SAML or other OAuth-Providers.

Our Company is using an IAM solution by NetIQ.
I can also provide the ability to testdrive some configurations.

eramba · April 12, 2018, 4:55pm

I’m not %100 sure about SAML, oauth is for sure going to be expanded to other providers (or custom providers) but not until we complete UX migration (a couple of months if we get lucky).

eramba · April 16, 2019, 9:38am

hello,

we will be working on saml on the next two releases , we dont have experience on the technology so it would be good if we can collaborate with a couple of customers that:

have build saml server (so we understand deeper how the technology works)
have configured an application to work with saml (so we know how ux, settings, etc would work)

both is ideal, one of them is really good too.

our plan is to expand authentication (not authorisation) to saml but we would still require local accounts in eramba to be created. this will take a month or two but hopefully we can start to collect the information we need to plan on how to build it.

please contact support@eramba.org if you are able to help

regards,
esteban

pedro.goncalves · May 13, 2019, 8:16am

We also are interested in SAML (i.e. authorisation) through OKTA. Maybe you could do some tests with us.

eramba · July 9, 2019, 11:44am

We have almost confirmed funding from one of our customers to implement SAML 2.0 , we would appreciate if those of you that have applications using SAML 2.0 to send us over screesnhots that show what configuration parameters they use so we make sure we build something that will work more or less the same way your other SAML compatible apps

pedro.goncalves · July 9, 2019, 12:45pm

Hi,

We use Okta as our identity service. Here is their step by step to integrate SAML 2.0 applications (including fields needed).

https://developer.okta.com/docs/guides/saml-application-setup/overview/

matthew.dovie · July 9, 2019, 12:55pm

Similar to how you’re syncing LDAP accounts to local accounts, you would be able to use Just-in-Time provisioning to create local accounts through SAML. Instead of syncing users from an Active Directory instance, with Just-in-Time provisioning users are created and updated dynamically when they log in, based on SAML assertions sent by the identity provider.

phillip_rice · July 12, 2019, 11:37am

This would be a massive benefit - a default group be set if no group info is passed, or if group info is passed and matches an existng group in eramba then the user would be set as a member of the group

eramba · July 15, 2019, 6:39am

We were thinking on using SAML only to authenticate users, the eramba user must be previously created (trough imports or ldap sync) before you can authenticate it !

phillip_rice · July 15, 2019, 8:30am

Think on using or decided?

phillip_rice · July 16, 2019, 9:04am

If just in time provisioning is still a possibility please let me know, if not I will have to consider alternatives as we cannot connect Eramba to our ldap directory.

Thanks

eramba · July 16, 2019, 9:29am

hello,

saml 2.0 will be used as another authentication method alone not used for syncing accounts to eramba, for that we use ldap.

sorry!

pedro.goncalves · August 12, 2019, 2:35pm

Can you put on the pipeline provisioning (even if is not in the near future) ? I guess that’s the major factor to use SAML instead of LDAP or Oauth which you already support.

eramba · August 14, 2019, 2:17pm

For the time being we need to keep this as it is … sorry but we have too many fronts and we need to choose battles carefully !

pedro.goncalves · August 16, 2019, 7:40am

Yes, Understandable

eramba · September 24, 2019, 7:27am

taadaaaaa, SAML finally seems to work and will be part of release 2.7.0 (due for this week or next monday)

video: SAML Introduction - YouTube

THIS IS BETA!!! meaning, it should work but we are sure there will be updates.