Configuring SAML settings

If you want to configure your DataMiner System to use external authentication, the best way to do so is using SAML (Security Assertion Markup Language). This is supported from DataMiner 9.6.11 onwards.

To configure SAML, you will first need to set up authentication. For this, you need to generate a metadata file for the service provider (i.e. DataMiner) and a metadata file for the identity provider, and DataMiner and the identity provider need to exchange metadata files. This way, a trust relationship between the two is established. The following metadata must be shared between DataMiner and the identity provider service: Entity ID, Cryptographic Keys, Protocol Endpoints (bindings, locations). Once this is done, you then need to configure user provisioning.

You can find detailed information about this configuration for the different supported identity providers here:

• Microsoft Entra ID (formerly Azure AD)
• Azure B2C
• Okta

Once everything has been correctly configured, if users try to log in to the DMA using external authentication via SAML, they will be redirected to a login page of the identity provider. That page will authenticate them and return a SAML response, which DataMiner will use to either grant or deny access.

Please note the following:

• Any DataMiner Agent configured for SAML external authentication must be accessible via HTTPS.

• DataMiner integrates with identity providers using version 2.0 of the SAML protocol. Compatibility with older SAML versions is not supported. In addition, the identity provider must support redirect binding for communication between the service provider (i.e. DataMiner) and the identity provider. Most SAML identity providers support redirect binding by default.

• DataMiner uses service provider-initiated Single Sign-On (SSO) through redirect binding. It does not support the use of POST or SOAP binding for requests. However, standard POST binding is used for responses.

  Tip

  For a comprehensive understanding of the SAML process, including the encoding and encryption guidelines that DataMiner follows, refer to the official SAML Documentation: SAML Technical Overview.

• DataMiner will expect one of the claims provided by the identity provider to be the "name" claim: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name. This field must contain either the username or the email address.

• If a default username is not in email format or if DataMiner is unable to locate it, add a <PreferredEmailClaim> element to the <AutomaticUserCreation> element in DataMiner.xml that refers to a claim containing a valid email address tag. See Configuring DataMiner.xml to use external authentication.

• If there are two DataMiner users who share the same email address, both users will not be able to log in. To prevent this from happening, we recommended not using more than one method to add users. For example, do not add Windows domain users if the Entra ID users use the same email address.

• To use external authentication for DataMiner Low-Code Apps, you must use DataMiner 10.3.5 or higher.

• For DataMiner Cube, it is possible to bypass the external authentication provider by entering an explicit username/password combination. However, prior to DataMiner 10.1.11/10.2.0, this is only possible for the Administrator user.

• For the Web apps, when external authentication is enabled, it is no longer possible to log in with local accounts. As a workaround, since you do not need to configure external authentication on every DMA of the cluster, you can log in to the web apps using external authentication on one DMA and log in using a local account on another DMA.

Tip

See also: Troubleshooting SAML issues