Feature - SAML (planned for r46)

We need to let people authenticate with one more mechanism (on top of LDAP and local accounts): SAML

Under System / Settings we need a new option for “SAML Connectors”

image

When clicked there, the user can define one or more SAML connectors.

At System / Settings / Authentication we need to allow SAML authentication for: General Eramba Authentication (we will include later one Third Party Audits Portal Authentication).

Warning: user management will be handled as usual, local accounts must exist for SAML to authenticate. This issue goes back to Feature - Enabling two factor auth (no due date) by @mitchell_e_rowton and @ksaxena

https://github.com/eramba/eramba_v2/issues/459

1 Like

Due a set of dependencies we have worked out Oauth authentication:

In order to work with SAML we need a testing SSO enviroment to work with, those of you that requested SAML can work with oauth too or need SAML?

Regards

Is there an update on SAML? We’re interested. It says planned for R46, but I don’t see it.

Hi!

We implemented a beta version of Google oauth in release 47. You Can find more details in the video posted in the release note : http://www.eramba.org/enterprise-update-47/

Let us know what do you think!
Thanks!

I’m also very interested in using SAML as Login with our sso solution.

Are there any future plans on implementing SAML or other OAuth-Providers.

Our Company is using an IAM solution by NetIQ.
I can also provide the ability to testdrive some configurations.

I’m not %100 sure about SAML, oauth is for sure going to be expanded to other providers (or custom providers) but not until we complete UX migration (a couple of months if we get lucky).

hello,

we will be working on saml on the next two releases , we dont have experience on the technology so it would be good if we can collaborate with a couple of customers that:

  • have build saml server (so we understand deeper how the technology works)
  • have configured an application to work with saml (so we know how ux, settings, etc would work)

both is ideal, one of them is really good too.

our plan is to expand authentication (not authorisation) to saml but we would still require local accounts in eramba to be created. this will take a month or two but hopefully we can start to collect the information we need to plan on how to build it.

please contact support@eramba.org if you are able to help

regards,
esteban

We also are interested in SAML (i.e. authorisation) through OKTA. Maybe you could do some tests with us.

We have almost confirmed funding from one of our customers to implement SAML 2.0 , we would appreciate if those of you that have applications using SAML 2.0 to send us over screesnhots that show what configuration parameters they use so we make sure we build something that will work more or less the same way your other SAML compatible apps

Hi,

We use Okta as our identity service. Here is their step by step to integrate SAML 2.0 applications (including fields needed).

https://developer.okta.com/docs/guides/saml-application-setup/overview/

1 Like

Similar to how you’re syncing LDAP accounts to local accounts, you would be able to use Just-in-Time provisioning to create local accounts through SAML. Instead of syncing users from an Active Directory instance, with Just-in-Time provisioning users are created and updated dynamically when they log in, based on SAML assertions sent by the identity provider.

1 Like

This would be a massive benefit - a default group be set if no group info is passed, or if group info is passed and matches an existng group in eramba then the user would be set as a member of the group :slight_smile:

We were thinking on using SAML only to authenticate users, the eramba user must be previously created (trough imports or ldap sync) before you can authenticate it !

Think on using or decided? :slight_smile:

If just in time provisioning is still a possibility please let me know, if not I will have to consider alternatives as we cannot connect Eramba to our ldap directory.

Thanks

hello,

saml 2.0 will be used as another authentication method alone not used for syncing accounts to eramba, for that we use ldap.

sorry!

Can you put on the pipeline provisioning (even if is not in the near future) ? I guess that’s the major factor to use SAML instead of LDAP or Oauth which you already support.

For the time being we need to keep this as it is … sorry but we have too many fronts and we need to choose battles carefully !

Yes, Understandable :wink:

1 Like

taadaaaaa, SAML finally seems to work and will be part of release 2.7.0 (due for this week or next monday)

video: https://youtu.be/0mRkqTg0aR0

THIS IS BETA!!! meaning, it should work but we are sure there will be updates.

image

2 Likes