SAML

SAML (Security Assertion Markup Language) is an open standard that allows identity providers (IdPs) to pass authorization credentials to service providers (SPs) via transactions that use XML (extendible markup language)

On-premise / private cloud instances

Local Setup

Required configuration steps

Hyperscience currently supports SP-initiated SSO. To enable SAML authentication in the system:

  1. Add the following setting to your .env file:

    # Enables SAML Authentication
    HS_LOGIN_ENABLE_SAML=true

    Authentication

    Only ONE of SAML, OpenID Connect, LDAP or Google authentication can be enabled.

  2. Set the value of SAML_ENTITY_ID to the same value that is registered with your IdP. The Entity ID should be a unique identifier for your Hyperscience installation and is usually set to its URL.

SAML_ENTITY_ID=http://your.hyperscience.url
  1. Make an XML metadata file that describes the configuration of your IdP available to your Hyperscience installation. We provide two options for this step:

Remote metadata URL

If your IdP’s metadata is publicly available, you can point Hyperscience to that URL:

SAML_METADATA_URL=http://idp.metadata.url

For example, your SAML_METADATA_URL variable may look like this:

SAML_METADATA_URL=https://www.server.com:8080/context/saml/metadata

Local metadata file

If the metadata is not hosted or is not accessible to your Hyperscience installation, you may download its file from your IdP and make it accessible to Hyperscience:

  • Create /mnt/hs/certs folder on each machine running Hyperscience:

    mkdir -p /mnt/hs/certs
  • Apply  proper SELinux context if enabled (Redhat has this enabled by default):

    chcon -t container_file_t -R /mnt/hs/certs
  • Create /mnt/hs/certs/metadata.xml file and put their IdP metadata.

  • Set SAML_METADATA_PATH=/etc/nginx/certs/metadata.xml

Internal path specification

This internal path specification does not exist on the machine running Hyperscience - just copy the value.

  1. Provide the group values that will map to Admin role inside Hyperscience. Currently, we accept one possible admin role.

SAML_ADMIN_PERMISSION_ROLE=your_admin_group

Identity configuration

A user’s identity in SAML is mapped to their username in Hyperscience. By default, Hyperscience assumes that identity is case-sensitive but configurable. See the table below for more details:

Environment Variable

Default

Description

SAML_DJANGO_USER_MAIN_ATTRIBUTE_CASE_SENSITIVE

TRUE

Identity in IdP is case-sensitive.

Configuring attribute mapping

Hyperscience supports SAML attribute mapping, allowing you to auto-populate user-specific information in Hyperscience based on the data stored in your IdP. Below is a list of the supported attribute values. These values are fully customizable.

Environment Variable

Default (Attribute Name)

Description

SAML_USER_AUTH_ATTR

authorities

The name of the attribute used to identify the user's group

SAML_USER_FIRST_NAME_ATTR

FirstName

Name of IdP's attribute for a user's first name

SAML_USER_LAST_NAME_ATTR

LastName

Name of IdP's attribute for a user's last name

Configuring authentication request and response options

Response and assertions signature requirements

Hyperscience supports both signed and unsigned assertions and responses from the identity provider. In addition, Hyperscience may require only signed responses. You can control this behavior via the following environment variables (default values shown below):

SAML_WANT_ASSERTIONS_SIGNED=False
SAML_WANT_RESPONSE_SIGNED=True

The SAML_WANT_RESPONSE_SIGNED variable is available only in v32 and later.

Encrypted assertions

In certain deployment scenarios, an identity provider encrypts the assertions within a response. To enable Hyperscience to decrypt such responses you need to:

Obtain a certificate and key for decryption from the identity provider. See your identity provider documentation for specific steps on how to do this.

  • Create /mnt/hs/certs/saml folder on each machine running Hyperscience:

 mkdir -p /mnt/hs/certs/saml
  • Apply proper SELinux context if enabled (Redhat has it enabled by default):

 chcon -t container_file_t -R /mnt/hs/certs
 chcon -t container_file_t -R /mnt/hs/certs/saml
  • Create the following files:

    • /mnt/hs/certs/saml/encrypt-private-key.pem - holding the PEM encoded private key of the decryption certificate

    • /mnt/hs/certs/saml/encrypt-public-cert.pem - holding the PEM encoded decryption certificate

  • Set SAML_CONFIG_DIR=/etc/nginx/certs/saml

  • Set SAML_DECRYPT_ASSERTIONS=True

This internal path specification does not exist on the machine running Hyperscience - just copy the value.

Signed authentication requests

Certain deployment scenarios might require Hyperscience to send signed authentication requests to the identity provider. Follow the steps below to configure this:

  1. Obtain certificate and key for request signing. This might require additional setup on the identity provider side. See the instructions for your IdP.

  2. Create /mnt/hs/certs/saml folder on each machine running Hyperscience:

mkdir -p /mnt/hs/certs/saml
  1. Apply proper SELinux context if applicable:

chcon -t container_file_t -R /mnt/hs/certs
chcon -t container_file_t -R /mnt/hs/certs/saml
  1. Create the following files:

  • /mnt/hs/certs/saml/sign-private-key.pem - holding the PEM encoded private key of the signing certificate

  • /mnt/hs/certs/saml/sign-public-cert.pem - holding the PEM encoded signing certificate

  1. Set SAML_CONFIG_DIR=/etc/nginx/certs/saml.

This is an internal path specification and it does not exist on the machine running Hyperscience - just copy the value.

  1. Set SAML_AUTHN_REQUESTS_SIGNED=True

Overriding Assertion Consumer Service URL (Optional)

If you're running v33.1.28 or later, you can use the SAML_ACS_URL.env file variable to override the assertion consumer service (ACS) URL.

Hyperscience tries to construct the ACS URL automatically based on application configurations and request headers. In some cases, however, (e.g., certain load-balancer setups, load balancers terminating HTTPS, Kubernetes deployments), a valid URL cannot be generated, leading to errors upon login.

In these cases, include the SAML_ACS_URL variable in your .env file, and set it to a URL in the following format:

<full_URL_including_protocol_to_Hyperscience_base>/saml2/acs/

Remote setup

Okta

These instructions will configure Hyperscience to use an Okta application as an IdP.  They use as many default values as possible, with the minimal configuration necessary on the Hyperscience side.

To set up your Okta application:

  1. Configure the General settings:

    1. Configure your application to use SAML authentication.

    2. Set your Single sign-on URL to the domain where Hyperscience is hosted, at the path /saml2/acs/, including the trailing slash.

    3. Set your Audience URI to your application's domain. This value must match the value of the SAML_METADATA_URL setting.

    4. Set the Application username to the field that you want to use to populate usernames inside Hyperscience.

okta_general.png

  1. To map first name, last name, and email from Okta to Hyperscience, set the following user attributes. These values will work with Hyperscience out of the box.

okta_user_attributes.png

  1. We require group information to determine a user's access permissions inside Hyperscience.

    1. To send this information, create an Okta filter that includes all groups of users who will be accessing Hyperscience. You can use the Contains or Match Regex filter functionality to do so.

    2. These groups should match the values of SAML_STAFF_PERMISSION_ROLES and SAML_ADMIN_PERMISSION_ROLE.

  2. You can find the link to your IdP's metadata by clicking Identity Provider metadata, as shown below. Copy this link's URL, and set the value of SAML_METADATA_URL to this URL.

okta_metadata_revised.png

  1. Configure your Hyperscience .env:

# Required settings
HS_LOGIN_ENABLE_SAML=true
SAML_ENTITY_ID=http://<YOUR_HYPERSCIENCE_URL>
SAML_METADATA_URL=https://<YOUR_DOMAIN>.okta.com/app/<APP_ID>/sso/saml/metadata
#At least one of the below settings is required
SAML_STAFF_PERMISSION_ROLES=staff_group_a,staff_group_b,...
SAML_ADMIN_PERMISSION_ROLE=admin_group

To learn how to map authentication groups from your identity provider to Hyperscience permission groups, see the Managing Authentication Groups article for your version of Hyperscience.

SaaS instances

The steps required to integrate your SAML IdP with Hyperscience depend on the version of Hyperscience you’re running.

New deployments of v38

If you want to integrate your SAML IdP with Hyperscience, you can set up and manage that integration in the Hyperscience application.

This feature is only available for new deployments of v38. If you’ve upgraded to v38 and currently have SAML authentication set up in your instance, your integration will still be managed by Hyperscience. See Upgrade Process Overview for more information.

Prerequisites

Before starting the setup process described below, ensure that you have:

  • Communicated to  your Hyperscience representative that you want to manage your SAML setup in your application.

  • Added at least one user record to your SAML authentication provider.

Integrating your IdP with Hyperscience

  1. In your IdP, create an application. Hyperscience will use this application to connect to your IdP.

  2. In your IdP, create at least one user group for Hyperscience administrators and assign a user to it. You need this group name for the next steps.

  3. In the Hyperscience application, go to the System Settings page (Administration > System Settings), and in the View drop-down menu at the top of the page, click on Security & Identity.

  4. In the Identity Provider card, click Edit.  

  5. Select the Enabled checkbox.

  6. In the Identity Provider Name field, enter a name for the IdP. This name will appear on the Log In button on the login page (Log In With <Identity Provider Name>, e.g., Log In With Azure AD).

  7. In the Identity Provider Organization field, enter a name for the main point of contact for the IdP at your organization.

  8. Click on SAML.  

  9. Enter the requested information in the top five fields. The first two fields are required, and either the third or fourth field is required, depending on your preferred configuration.  

  10. In the bottom six fields (Username Field Name on the SAML Data up to and including Staff Groups on the IdP Side (Comma Separated: GroupA,GroupB)), enter the requested field mappings from your IdP to Hyperscience. This information can be obtained from the metadata XML from the IdP.  

  11. Select the checkboxes for any of the optional settings you would like to apply to your integration.  

  12. Click Show Hyperscience configuration for selected identity provider.  

  13. Copy the information from the Information to use with your identity provider window that appears, and paste it into the respective fields in your IdP.  

  14. Click Save at the top of the Identity Provider card.  

  15. Create additional groups in your IdP for non-admin users, and map them to their Hyperscience roles by following the instructions in Managing Authentication Groups.

    v37 and earlier / Upgrades to v38

    You can integrate your SAML authentication provider with Hyperscience by providing the following information to your Hyperscience representative:

    • The SAML group name for users accessing the Hyperscience instance

    • The SAML group name for users who should be in the “System Admin” permission group in Hyperscience

    • IdP metadata

      • SAML metadata XML file

      • IdP Cert (b64-encoded), if not included in the metadata XML file

      • SAML Request Binding (defaults to HTTP POST)

    • SAML SSO URL

    • SAML SSO destination

    • SAML username assertion  

      • This assertion should contain the user’s email address.

      • Defaults to subjectNameId.

    • Should SP sign SAML requests sent to the IdP? (yes/no)

      • If yes, specify the signature algorithm (defaults to SHA-256).

    • Should IdP sign SIGM requests sent to the SP? (yes/no)

      • If yes, specify the signature algorithm (defaults to SHA-256).

    After we receive this information, we will set up the integration with your IdP and Hyperscience.