You are viewing the RapidMiner Server documentation for version 9.4 -Check here for latest version
SAML authentication
RapidMiner provides a convenient Single Sign On (SSO) functionality that integrates seamlessly with any existing Identity Access Management (IAM) platform, using the de facto standard SAML 2.0.
User authentication viaSAML 2.0 (Security Assertion Markup Language)provides:
- administratorswith a flexible way to configure the set of users who can use RapidMiner Server and to assign the appropriate rights to them.
- userswith a convenient way to authenticate themselves, by using their existing corporate Identity Provider (IdP).
When SAML is configured, RapidMiner Server requests user authentication by an IdP service provider, such asAuth0orMicrosoft Azure Active Directory. The passwords of SAML users are not stored in the database of RapidMiner Server. Instead, login attempts are managed by the IdP, and the IdP responds with a SAML authorization decision.
If the login is successful, group membership on RapidMiner Server is assigned based on the configuration ofmirror groupsand the group memberships provided in the SAML response.
SAML authentication is disabled by default, as it requires some configuration from the administrator.
Setup Steps
To use RapidMiner Server with SAML, the following steps are required:
- RapidMiner Server must be set up for HTTPS - seeEnabling HTTPS
- The IdP must be configured to properly handle RapidMiner - seeSet up IdP for use with RapidMinerbelow.
- RapidMiner must be configured for SAML use - SeeEnable SAML authentication
- RapidMiner must be configured withmirror groups
Set up IdP for use with RapidMiner
RapidMiner Server and the IdP must be set up to communicate correctly with each other.
The setup of RapidMiner Server is described inEnable SAML authentication.
国内流离失所者设置depends on the provider. Below are two common providers with some helpful configuration notes:
Auth0 seehttps://auth0.com/docs/protocols.saml/saml-idp-generic. Some basic settings for the Application are:
- Application Callback URL: https://SERVER_DNS:PORT/saml/SSO
- Application Type: ‘Regular Web Application’
- Token Endpoint Authentication Method: ‘Post’
- Allowed Callback URLs: https://SERVER_DNS:PORT/saml/SSO
- Allowed Logout URLs: https://SERVER_DNS:PORT/saml/SLO
Microsoft Azure Active Directory seehttps://docs.microsft.com/en-us/azure/active-directory/develop/quickstart-register-app. Some basic settings for the Application are:
- Redirect URIs Type ‘Web’ - Redirect URI https://SERVER_DNS:PORT/saml/SSO
- Logout URL https://SERVER_DNS:PORT/saml/SLO
- Implicit grant ‘Access tokens’ and ‘ID tokens’ selected.
- In the Manifest include ‘“groupMembershipClaims”: “All”,’ underneath the ‘“createdDateTime”’ key, for more info seehttps://docs.microsoft.com/en-us/azure/active-directory/develop/reference-app-manifest
- The ‘group’ being provided to Rapidminer server in the SAML message for the user in question is the Microsoft Azure Active Directory ObjectId of the group. Admin must use these ObjectIds when mapping between RapidMiner defined group and IdP provided group, and not the group strings name. This will be important to remember when setting up [mirror groups] configuration.
Read more:
- Enable SAML authentication
- Set upmirror groupsconfiguration to automatically manage LDAP/SAML users
- Configure username and group filtersto restrict access to RapidMiner Server to only a specific set of LDAP users
- Encrypt the local-security settings
- Enabling HTTPS
- Radoop Proxy can be extended to support this authentication method see documentationhere.