Visit the official Paxata Documentation portal for all of your doc needs.

Paxata Cloud Admin: SAML Login Integration Self-Service Setup Guide

What you will learn:

How to configure Paxata and your Identity Provider to use SAML 2.0 SSO to login to paxata.com. 

What you will need before setup starts:

1. Credentials to create SAML 2.0 application in your Identity Provider, such as Okta or PingOne.
2. A Linux client which can run bash scripts.

Detail Steps for self-service setup:

  1. Inform Paxata (via [email protected]) that SAML integration is requested. In the request email, please let us know the following:1. whether you would like a new tenant for saml, or whether you would like to integrate your existing cloud tenant to saml. If it is an existing tenant, what is your login user name? 2. What is your SAML identity provider? You will get a notification when you are ready to proceed to step2.
  2. The notification email will contain the REST token of a temporary user to config SAML in your tenant, as well as your tenant Id. Both of these are used in cloud-samlconfig.sh script below.
  3. Define alias. It can be any value. For example: tenantOrange. No action required at this point.
  4. Define SP Entity Id. It can be any value in URI format. For example, urn:orange:tenantOrange:sso:paxata.com. No action needed at this point.
  5. Create your SAML application from IDP Provider. If you are using Okta as your Identity Provider, login as Okta admin and create a new SAML application by clicking the "Create New App": 
  6. Choose SAML 2.0 in the Popup and click Create.
  7. In General Settings, put your SAML application name, such as "Paxata" and Click Next.
  8. In Okta SAML Settings step, set the following values: 
    1. Single Sign On URL (aka. Assertion Consumer Service) -- core server hostname URL + "/sso/saml/SSO/alias/" + alias. For example, https://orange.paxata.com/sso/saml/SSO/alias/tenantOrange  
    2. Check "Use this for Recipient URL and Destination URL" checkbox. So the SSO URL, Recipient URL and Destination URL are identical.
    3. Audience Restriction (SP Entity Id). For example, urn:orange:tenantOrange:sso:paxata.com
    4. Name ID FormatEmailAddress
    5. Application UsernameOkta username 
    6. Add two Attribute Statements: 1. Name: email; Value: ${user.email}; 2. Name: displayName; Value: ${user.firstName}
    7. Add Group Attribute Statement: Name = ds_groups; Value Filter Contains "Paxata" (or whatever Okta groups are allowed to login to Paxata). 
    8. Click Next. Choose "I'm a software vendor. I'd like to integrate my app with Okta". Click Finish. SAML application is created. 
    9. If you are using PingOne as your identity provider, click Applications Tab:                     
  9. Add a NEW SAML Application: 
  10. Name your Application/Description/Category, such as "Paxata2" etc.  Click Continue to Next Step. 
  11. In Application Configurations, set the Assertion Consumer Service (ACS). For example: https://orange.paxata.com/sso/saml/SSO/alias/tenantOrange.
  12. In Application Configurations, set the Entity Id. For example: urn:orange:tenantOrange:sso:paxata.com.
  13. Optionally In Application Configurations, set the Single Logout URL – for example: https://orange.paxata.com/sso/saml/SingleLogout/alias/tenantOrange     
  14. Click Continue to Next Step                                                                                             
  15. In SSO Attribute Mapping. Add SSO Attributes: 1. email -> Email; 2. displayName -> firstName; 3. ds_groups -> memberOf; 
  16. Click "Save & Publish"
  17. (For Okta or Pingone) From the SAML Application page:
    1. Download IDP metadata XML for later use. 
    2. Extract the IDP entityId value from this file for later use, such as the one highlighted below:
      1. <?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://www.okta.com/xxxxxx">
    3. Assign your SAML Groups associated with Paxata SAML application, such as:
      1. GroupA: Sample Paxata Okta Business Users Group
      2. GroupB: Sample Paxata Okta Admin Users Group
    4. (If necessary) Assign this SAML application to the group(s) who wants to access Paxata.
  18. Create Paxata SAML Config file. Sample template available here: sample-samlconfig.json. Replace the values with “Replace Me” to actual value. Here are the list of fields to replace:
    1. entityId -- the SP EntityId defined when you created the SAML application. For example: urn:orange:tenantOrange:sso:paxata.com
    2. alias – alias you defined. For example: tenantOrange.
    3. idpEntityId – entityID extracted from IDP metadata XML. For example: http://www.okta.com/xxxxxx.
    4. provisionOnLogin – set to true, so newly mapped Paxata group can be autogenerated.
    5. attributeNameForGroups and attributeNameForRoles – Group Attribute Statement Name defined when you created the SAML application. For example: ds_groups.
    6. fieldMapping – Attribute Statement names defined when you created the SAML application. For example: { "email" : "email", "displayname" : "displayName”}

    7. groupMapping – defines which Paxata group(s) should be mapped to the SAML Group(s) assigned to this application. remoteName is your SAML group name. paxataName is the Paxata group name. For example:
    8.        "groupMapping" : [
          {
            "remoteName" : "Sample Paxata Okta Business Users Group",
            "paxataName" : "Pax-AllUsers"
          },
          {
            "remoteName" : "Sample Paxata Okta Admin Group",
            "paxataName" : "Pax-AllUsers"
          }],
    9. roleMapping – defines which Paxata role(s) should be mapped to the SAML Group(s) assigned to this application. remoteName is your SAML group name. paxataName is the Paxata role name. Here is the list of system-defined roles in Paxata. All roles defined in the SAML tenant must be mapped to at least one SAML Group. Each SAML remote group can be mapping to more than one role(s).
    10. For Example:
      "roleMapping" : [
          {
            "remoteName" : "Sample Paxata Okta Business Users Group",
            "paxataName" : "PowerUser"
          },
          {
            "remoteName" : "Sample Paxata Okta Business Users Group",
            "paxataName" : "Automation"
          },
          {
            "remoteName" : "Sample Paxata Okta Business Users Group",
            "paxataName" : "RemoteAccess"
         },
         {
            "remoteName" : "Sample Paxata Okta Admin Group",
            "paxataName" : "ResourceAdmin"
         },
         {
            "remoteName" : "Sample Paxata Okta Admin Group",
            "paxataName" : "Admin"
         },
          {
            "remoteName" : "Sample Paxata Okta Admin Group",
            "paxataName" : "Automation"
          },
          {
            "remoteName" : "Sample Paxata Okta Admin Group",
            "paxataName" : "RemoteAccess"
         }
        ]
    11. Save file as samlconfig.json
  19. See help text of the script to find out what are the necessary arguments
    ./cloud-samlconfig.sh –h

    Run the script with Tenant_Name from your notification email. For example: 

       ./cloud-samlconfig.sh -t TH1taFvlC2BAMzZGFuqimetLZiZAiactujX1ohmvp/8= -s fd0acf07d19c416a86b8673f233097aa -c https://orange.paxata.com -m samlconfig.json -o paxata-sp-metadata.xml -i mycompany-idp-metadata.xml

  20.  Inform Paxata when the last step above is done (via [email protected]). Paxata will then turn on the tenant to use SAML authentication instead of local authentication. You will get a notification that the setup is done and you can proceed with SAML login test in Paxata UI)

Sign In or Register to comment.