SAML integration

InsightFinder supports SAML 2.0 by adding one additional SAML relay service to process all SSO requests from all kinds of IdPs like Microsoft Entra ID and Teleport.

Figure 1

Prerequisites

  • Java SDK 17+
  • OpenSSL 1.0.2+
  • Network access to the IdP and InsightFinder engine.
  • A dedicated domain.

Installation

    1.Transfer the files for SAML Relay Service


cp downloads/saml.jar <YOUR_DIR>/
cp downloads/application.yml

    2.Start the service with a configuration


java -jar saml.jar \ --spring.config.location=file:./application.yml

Configuration

    1.Generate certificates for Service Provider


openssl req -newkey rsa:2048 -nodes -keyout sp.key -x509 -days 365 -out sp.crt

    2.Update the basic configuration part in application.yml.

Item Description Example Value
server.port The port you want this service listens to. 8080
insight-finder.serverUrl The URL for InsightFinder engine. https://app.insightfinder.com
insight-finder.samlUrl The full url for this SAML relay service. https://saml.insightfinder.com:8080
insight-finder.sp-key The path to the ServiceProvider key generated in step 1 /app/certs/sp.key
insight-finder.sp-cert The path to the ServiceProvider certificate generated in step 1 /app/certs/sp.crt

    3.Update the Identity Provider part saml.idp.your-idp in application.yml

Item Description Example Value
entity-id The url to the SAML 2.0 metadata xml. https://xxx.teleport.sh/enterprise/saml-idp/metadata
firstname-key The field name in the SAML principal that represents the user’s first name http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
lastname-key The field name in the SAML principal that represents the user’s last name http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
email-key The field name in the SAML principal that represents the user’s email address http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
singlesignon-url The URL of the Identity Provider's SAML 2.0 SSO service https://xxx.teleport.sh/enterprise/saml-idp/sso
idp-cert The path of the certificate from the Identity Provider /app/certs/SAML-IDP-X509.pem

    4.Register the SAML relay service in InsightFinder engine:


vi /opt/jetty/webapp/ROOT/WEB-INF/classes/saml.json


Add one entry to map all email address end with @examplecompany.com to this SAML relay service


"@examplecompany.com": "https://<SAML_RELAY_SERVER>/saml2/authenticate/<YOUR_IDP>"


IdP Setup

Teleport
  1. Start adding a new SAML application by clicking Enroll New Resource in the Teleport dashboard
  2. Record the following information as we need to feed them into the InsightFinder SAML Relay service:
    • Entity ID
    • SSO URL
    • X-509 Certificate
  3. Configure the InsightFinder Service Provider.
    • App Name: InsightFinder SAML
    • Entity ID: https:///saml2/service-provider-metadata/
    • ACS URL: https://app.insightfinder.com/auth/login2
    In the Attribute mapping section, add 3 attributes:
    Attribute NameAttribute Name FormatAttribute Value
    firstnameunspecifieduser.spec.traits.firstname
    lastnameunspecifieduser.spec.traits.lastname
    emailunspecifieduser.spec.traits.email
Microsoft
  1. Select the following option to create an application in Microsoft Entra
  2. Select SAML in single sign-on
  3. Configure the SAML setting: In section 1, Input the following: Identifier (entity ID) – https://saml.insightfinder.com/saml2/service-provider-metadata/insightfinder Reply URL (Assertion Consumer Service URL) – https://saml.insightfinder.comNotice suffix of the identifier is configured in insightfinder saml application (application.yml)Skip Section 2, and please send App Federation Metadata Url to us, so that we could configure in insightfinder saml application (application.yml) And feel free to test it in section 5
  4. If you run into this issue while testing, you need to add the user to the application you just created