SAML integration

InsightFinder supports SAML 2.0 by adding one additional SAML relay service to process all SSO requests from all kinds of IdPs like Microsoft Entra ID and Teleport.

Figure 1


  • Java SDK 17+
  • OpenSSL 1.0.2+
  • Network access to the IdP and InsightFinder engine.
  • A dedicated domain.


    1.Transfer the files for SAML Relay Service

cp downloads/saml.jar <YOUR_DIR>/
cp downloads/application.yml

    2.Start the service with a configuration

java -jar saml.jar \ --spring.config.location=file:./application.yml


    1.Generate certificates for Service Provider

openssl req -newkey rsa:2048 -nodes -keyout sp.key -x509 -days 365 -out sp.crt

    2.Update the basic configuration part in application.yml.

Item Description Example Value
server.port The port you want this service listens to. 8080
insight-finder.serverUrl The URL for InsightFinder engine.
insight-finder.samlUrl The full url for this SAML relay service.
insight-finder.sp-key The path to the ServiceProvider key generated in step 1 /app/certs/sp.key
insight-finder.sp-cert The path to the ServiceProvider certificate generated in step 1 /app/certs/sp.crt

    3.Update the Identity Provider part saml.idp.your-idp in application.yml

Item Description Example Value
entity-id The url to the SAML 2.0 metadata xml.
firstname-key The field name in the SAML principal that represents the user’s first name
lastname-key The field name in the SAML principal that represents the user’s last name
email-key The field name in the SAML principal that represents the user’s email address
singlesignon-url The URL of the Identity Provider's SAML 2.0 SSO service
idp-cert The path of the certificate from the Identity Provider /app/certs/SAML-IDP-X509.pem

    4.Register the SAML relay service in InsightFinder engine:

vi /opt/jetty/webapp/ROOT/WEB-INF/classes/saml.json

Add one entry to map all email address end with to this SAML relay service

"": "https://<SAML_RELAY_SERVER>/saml2/authenticate/<YOUR_IDP>"

IdP Setup

  1. Start adding a new SAML application by clicking Enroll New Resource in the Teleport dashboard
  2. Record the following information as we need to feed them into the InsightFinder SAML Relay service:
    • Entity ID
    • SSO URL
    • X-509 Certificate
  3. Configure the InsightFinder Service Provider.
    • App Name: InsightFinder SAML
    • Entity ID: https:///saml2/service-provider-metadata/
    • ACS URL:
    In the Attribute mapping section, add 3 attributes:
    Attribute NameAttribute Name FormatAttribute Value
  1. Select the following option to create an application in Microsoft Entra
  2. Select SAML in single sign-on
  3. Configure the SAML setting: In section 1, Input the following: Identifier (entity ID) – Reply URL (Assertion Consumer Service URL) – https://saml.insightfinder.comNotice suffix of the identifier is configured in insightfinder saml application (application.yml)Skip Section 2, and please send App Federation Metadata Url to us, so that we could configure in insightfinder saml application (application.yml) And feel free to test it in section 5
  4. If you run into this issue while testing, you need to add the user to the application you just created