Prerequisites
- Java SDK 17+
- OpenSSL 1.0.2+
- Network access to the IdP and InsightFinder engine.
- A dedicated domain.
Installation
1.Transfer the files for SAML Relay Service
cp downloads/saml.jar <YOUR_DIR>/
cp downloads/application.yml
2.Start the service with a configuration
java -jar saml.jar \ --spring.config.location=file:./application.yml
Configuration
1.Generate certificates for Service Provider
openssl req -newkey rsa:2048 -nodes -keyout sp.key -x509 -days 365 -out sp.crt
2.Update the basic configuration part in application.yml.
| Item | Description | Example Value |
|---|---|---|
| server.port | The port you want this service listens to. | 8080 |
| insight-finder.serverUrl | The URL for InsightFinder engine. | https://app.insightfinder.com |
| insight-finder.samlUrl | The full url for this SAML relay service. | https://saml.insightfinder.com:8080 |
| insight-finder.sp-key | The path to the ServiceProvider key generated in step 1 | /app/certs/sp.key |
| insight-finder.sp-cert | The path to the ServiceProvider certificate generated in step 1 | /app/certs/sp.crt |
3.Update the Identity Provider part saml.idp.your-idp in application.yml
| Item | Description | Example Value |
|---|---|---|
| entity-id | The url to the SAML 2.0 metadata xml. | https://xxx.teleport.sh/enterprise/saml-idp/metadata |
| firstname-key | The field name in the SAML principal that represents the user’s first name | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname |
| lastname-key | The field name in the SAML principal that represents the user’s last name | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname |
| email-key | The field name in the SAML principal that represents the user’s email address | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress |
| singlesignon-url | The URL of the Identity Provider’s SAML 2.0 SSO service | https://xxx.teleport.sh/enterprise/saml-idp/sso |
| idp-cert | The path of the certificate from the Identity Provider | /app/certs/SAML-IDP-X509.pem |
4.Register the SAML relay service in InsightFinder engine:
vi /opt/jetty/webapp/ROOT/WEB-INF/classes/saml.json
Add one entry to map all email address end with @examplecompany.com to this SAML relay service
"@examplecompany.com": "https://<SAML_RELAY_SERVER>/saml2/authenticate/<YOUR_IDP>"
IdP Setup
Teleport
- Start adding a new SAML application by clicking Enroll New Resource in the Teleport dashboard
- Record the following information as we need to feed them into the InsightFinder SAML Relay service:
- Entity ID
- SSO URL
- X-509 Certificate
- Configure the InsightFinder Service Provider.
- App Name: InsightFinder SAML
- Entity ID: https:///saml2/service-provider-metadata/
- ACS URL: https://app.insightfinder.com/auth/login2
In the Attribute mapping section, add 3 attributes:
Attribute Name Attribute Name Format Attribute Value firstname unspecified user.spec.traits.firstname lastname unspecified user.spec.traits.lastname email unspecified user.spec.traits.email 
Microsoft
- Select the following option to create an application in Microsoft Entra
- Select SAML in single sign-on
- Configure the SAML setting:
In section 1, Input the following:
Identifier (entity ID) – https://saml.insightfinder.com/saml2/service-provider-metadata/insightfinder
Reply URL (Assertion Consumer Service URL) – https://saml.insightfinder.comNotice suffix of the identifier is configured in insightfinder saml application (application.yml)
Skip Section 2, and please send
App Federation Metadata Url to us, so that we could configure in insightfinder saml application (application.yml)
And feel free to test it in section 5
- If you run into this issue while testing, you need to add the user to the application you just created
