Categories

Versions

You are viewing the RapidMiner Server documentation for version 9.4 -Check here for latest version

SAML authentication

RapidMiner provides a convenient Single Sign On (SSO) functionality that integrates seamlessly with any existing Identity Access Management (IAM) platform, using the de facto standard SAML 2.0.

User authentication viaSAML 2.0 (Security Assertion Markup Language)provides:

  • administratorswith a flexible way to configure the set of users who can use RapidMiner Server and to assign the appropriate rights to them.
  • userswith a convenient way to authenticate themselves, by using their existing corporate Identity Provider (IdP).

When SAML is configured, RapidMiner Server requests user authentication by an IdP service provider, such asAuth0orMicrosoft Azure Active Directory. The passwords of SAML users are not stored in the database of RapidMiner Server. Instead, login attempts are managed by the IdP, and the IdP responds with a SAML authorization decision.

If the login is successful, group membership on RapidMiner Server is assigned based on the configuration ofmirror groupsand the group memberships provided in the SAML response.

SAML authentication is disabled by default, as it requires some configuration from the administrator.

Setup Steps

To use RapidMiner Server with SAML, the following steps are required:

  1. RapidMiner Server must be set up for HTTPS - seeEnabling HTTPS
  2. The IdP must be configured to properly handle RapidMiner - seeSet up IdP for use with RapidMinerbelow.
  3. RapidMiner must be configured for SAML use - SeeEnable SAML authentication
  4. RapidMiner must be configured withmirror groups

Set up IdP for use with RapidMiner

RapidMiner Server and the IdP must be set up to communicate correctly with each other.

The setup of RapidMiner Server is described inEnable SAML authentication.

国内流离失所者设置depends on the provider. Below are two common providers with some helpful configuration notes:

Auth0 seehttps://auth0.com/docs/protocols.saml/saml-idp-generic. Some basic settings for the Application are:

  • Application Callback URL: https://SERVER_DNS:PORT/saml/SSO
  • Application Type: ‘Regular Web Application’
  • Token Endpoint Authentication Method: ‘Post’
  • Allowed Callback URLs: https://SERVER_DNS:PORT/saml/SSO
  • Allowed Logout URLs: https://SERVER_DNS:PORT/saml/SLO

Microsoft Azure Active Directory seehttps://docs.microsft.com/en-us/azure/active-directory/develop/quickstart-register-app. Some basic settings for the Application are:

  • Redirect URIs Type ‘Web’ - Redirect URI https://SERVER_DNS:PORT/saml/SSO
  • Logout URL https://SERVER_DNS:PORT/saml/SLO
  • Implicit grant ‘Access tokens’ and ‘ID tokens’ selected.
  • In the Manifest include ‘“groupMembershipClaims”: “All”,’ underneath the ‘“createdDateTime”’ key, for more info seehttps://docs.microsoft.com/en-us/azure/active-directory/develop/reference-app-manifest
  • The ‘group’ being provided to Rapidminer server in the SAML message for the user in question is the Microsoft Azure Active Directory ObjectId of the group. Admin must use these ObjectIds when mapping between RapidMiner defined group and IdP provided group, and not the group strings name. This will be important to remember when setting up [mirror groups] configuration.

Read more: