Versions Compared

Old Version 3

changes.mady.by.user Patrice Neff

Saved on

compared with

New Version Current

changes.mady.by.user Nathan Gosse

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Excerpt

How to set up Squirro Single Sign-On with Microsoft Active Directory Federation Services (ADFS).

Table of Contents

Table of Contents
excludeTable of Contents

Install Dependencies

...

Configure ADFS

This walk-through assumes ADFS 2.0. Adjust the process correspondingly for 3.0.

Relying Party Trust

  1. Open the AD FS Console and "Add Relying Party Trust"
  2. Enter data about the relying party manually
    Image Removed
  3. For display name enter "Squirro"
  4. Choose the AD FS 2.0 profile
  5. Enable support for SAML 2.0 WebSSO protocol. The service URL is https://SQUIRRO/sso/callback (URL of your Squirro installation plus the path /sso/callback)
    Image Removed
  6. For the relying party trust identifier enter https://sso.squirro.com/o/saml2/entity
    Image Removed
  7. In the last step confirm that you want to open the Edit Claim Rules dialog.

Claim Rules

  1. Choose the claim rule template "Send LDAP Attributes as Claims"
    Image Removed
  2. Select the E-Mail-Address attribute and send it as the Name ID.
    Image Removed

Export Federation Metadata

Download the FederationMetadata.xml file. This can be downloaded from the ADFS server at https://ADFS_SERVER/FederationMetadata/2007-06/FederationMetadata.xml.

Configure SAML Metadata

To configure SAML Single Sign-On with the federation metadata file, go to the Server space in Squirro and in the navigation on the left select Single Sign-On (SAML).

Press the red plus button on the top right. Fill out the form:

  • Domain: *
  • Enabled: Check
  • Metadata file: upload the FederationMetadata.xml file
  • User group: Select a user group which should be assigned to all SSO users

Image Removed

Enable SSO

For security reasons, the final configuration needs to be done directly on the server. Log into the server using SSH or similar means and edit the file /etc/squirro/frontend.ini. Then append the following lines at the end:

Code Block
[security]
sso_enabled = true
sso_endpoint = http://localhost:81/studio/extauth_saml/extauth

Reduce HTTP Session

By default Squirro will keep user sessions for 30 days, surviving browser restarts as well. In a Single Sign-On environment, this should be changed to the session expiring once the user restarts the browser. This can be achieved by changing /etc/squirro/frontend.ini and adding the following lines:

...

This page can now be found at ADFS Setup on the Squirro Docs site.