Visit the official Paxata Documentation portal for all of your doc needs.

Paxata OnPremise Admin: How to create SAML tenant

For Paxata On-Premise Administrators who would like to integrate SAML Identify Provider to on-premise Paxata instance, here are the steps:

  1. Confirm the SSL JKS files are configured properly in both jetty.properties and px.properties. For example:
In /usr/local/paxata/server/config/jetty.properties:
px.port=80
px.port.redirect=true
px.port.redirect.to=443
px.use.ssl=true
px.ssl.port=443
px.ssl.cert.alias=paxata
px.ssl.keystore=admin.jks
#encryptable
px.ssl.keystore.password=paxata
px.ssl.truststore=admin.jks
#encryptable
px.ssl.truststore.password=paxata
 
In /usr/local/paxata/server/config/px.properties:

#
# SSO configuration
#
px.sso.JKSKeyManager.storeFile=admin.jks
#encryptable
px.sso.JKSKeyManager.key=paxata
#encryptable
px.sso.JKSKeyManager.pass=paxata
 
  1. Login as superuser, or any user with superuser role.
  2. Create a new Tenant called “SAML Tenant”. 
  3. Click the green manage button next to SAML Tenant.
  4. When managing the SAML Tenant, click the Roles tab on the right.
  5. Review system-defined roles. The following are system-defined roles by default in any tenant.
    1. PowerUser – Project and Dataset read/write/update/delete
    2. Automation – Schedule Automation Job in UI
    3. RemoteAccess – Rest API Access
    4. Admin – User and Role Administration, plus PowerUser and RemoteAccess permissions
    5. ResourceAdmin - Full Access to all datasets and projects within tenant
    6. DatabaseAccess - access to hive tables exported from this tenant in the Paxata cloud
    7. SuperUser - All permissions, including Tenant Administration, Connector Config
Roles are configurable in Paxata tenants. In this exercise, we will delete Admin, ResourceAdmin and DatabaseAccess roles and only keep the following roles in the SAML Tenant:
  • PowerUser
  • Automation
  • RemoteAccess
  • SuperUser
After removing the unwanted roles in SAML tenant, click Exit Tenant to get back to Admin UI of current tenant. 
  1. Copy REST Token. Click person icon -> REST Token and click NEW if no existing token.          
  2. Copy the rest token value for later user in the script. 
  3. Define alias. It can be any value. For example: tenantOrange. No action required at this point.
  4. Define SP Entity Id. It can be any value in URI format. For example, urn:orange:tenantOrange:sso:mycompany.com. No action needed at this point.
  5. Create your SAML application from IDP Provider. If you are using PingOne as your identify provider please skip 10-13 and go to 14. If you are using Okta as your Identity Provider, login as Okta admin and create a new SAML application by clicking the "Create New App": 
  6. Choose SAML 2.0 in the Popup and click Create.
  7. In General Settings, put your SAML application name, such as "Paxata" and Click Next.
  8. In Okta SAML Settings step, set the following values: 
    1. Single Sign On URL (aka. Assertion Consumer Service) -- core server hostname URL + "/sso/saml/SSO/alias/" + alias. For example, https://orange.mycompany.com/sso/saml/SSO/alias/tenantOrange  
    2. Check "Use this for Recipient URL and Destination URL" checkbox. So the SSO URL, Recipient URL and Destination URL are identical.
    3. Audience Restriction (SP Entity Id). For example, urn:orange:tenantOrange:sso:mycompany.com
    4. Name ID FormatEmailAddress
    5. Application UsernameOkta username 
    6. Add two Attribute Statements: 1. Name: email; Value: ${user.email}; 2. Name: displayName; Value: ${user.firstName}
    7. Add Group Attribute Statement: Name = ds_groups; Value Filter Contains "Paxata" (or whatever Okta groups are allowed to login to Paxata). 
    8. Click Next. Choose "I'm a software vendor. I'd like to integrate my app with Okta". Click Finish. SAML application is created. 
  9. If you are using PingOne as your identity provider, click Applications Tab:                     
  10. Add a NEW SAML Application: 
  11. Name your Application/Description/Category, such as "Paxata2" etc.  Click Continue to Next Step. 
  12. In Application Configurations, set the Assertion Consumer Service (ACS). For example: https://orange.mycompany.com/sso/saml/SSO/alias/tenantOrange.
  13. In Application Configurations, set the Entity Id. For example: urn:orange:tenantOrange:sso:mycompany.com.
  14. Optionally In Application Configurations, set the Single Logout URL – for example: https://orange.mycompany.com/sso/saml/SingleLogout/alias/tenantOrange     
  15. Click Continue to Next Step                                                                                             
  16. In SSO Attribute Mapping. Add SSO Attributes: 1. email -> Email; 2. displayName -> firstName; 3. ds_groups -> memberOf; 
  17. Click "Save & Publish"
  18. (For Okta or Pingone) From the SAML Application page:
    1. Download IDP metadata XML for later use. 
    2. Extract the IDP entityId value from this file for later use, such as the one highlighted below:
      1. <?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://www.okta.com/xxxxxx">
      2. For PingOne the IDP EntityID has a pattern of "https://pingone.com/idp/xxxxxx"
    3. Assign your SAML Groups associated with Paxata SAML application, such as:
      1. GroupA: Sample Paxata Okta Business Users Group
      2. GroupB: Sample Paxata Okta SuperUsers Group
    4. (If necessary) Assign this SAML application to the group(s) who wants to access Paxata.
  19. Create Paxata SAML Config file. Sample template available here: onprem-paxata-sample-samlconfig.json. Replace the values with “Replace Me” to actual value. Here are the list of fields to replace:
    1. entityId -- the SP EntityId defined when you created the SAML application. For example: urn:orange:tenantOrange:sso:mycompany.com
    2. alias – alias you defined. For example: tenantOrange.
    3. idpEntityId – entityID extracted from IDP metadata XML. For example: "http://www.okta.com/xxxxxx" or "https://pingone.com/idp/xxxxxx"
    4. provisionOnLogin – set to true, so newly mapped Paxata group can be autogenerated.
    5. attributeNameForGroups and attributeNameForRoles – Group Attribute Statement Name defined when you created the SAML application. For example: ds_groups.
    6. fieldMapping – Attribute Statement names defined when you created the SAML application. For example:
             {
             "email" : "email",

             "displayname" : "displayName”
             }
  1. groupMapping – defines which Paxata group(s) should be mapped to the SAML Group(s) assigned to this application. remoteName is your SAML group name. paxataName is the Paxata group name. For example:
       "groupMapping" : [
    {
      "remoteName" : "Sample Paxata Okta Business Users Group",
      "paxataName" : "Pax-AllUsers"
    },
    {
      "remoteName" : "Sample Paxata Okta SuperUsers Group",
      "paxataName" : "Pax-AdminUsers"
    }],
  1. roleMapping – defines which Paxata role(s) should be mapped to the SAML Group(s) assigned to this application. remoteName is your SAML group name. paxataName is the Paxata role name. Here is the list of system-defined roles in Paxata. All roles defined in the SAML tenant must be mapped to at least one SAML Group. Each SAML remote group can be mapping to more than one role(s).
For Example (assuming you only have PowerUser, Automation, RemoteAccess and Superuser roles in this tenant):
"roleMapping" : [
    {
      "remoteName" : "Sample Paxata Okta Business Users Group",
      "paxataName" : "PowerUser"
    },
    {
      "remoteName" : "Sample Paxata Okta Business Users Group",
      "paxataName" : "Automation"
},
    {
      "remoteName" : "Sample Paxata Okta Business Users Group",
      "paxataName" : "RemoteAccess"
   },
   {
      "remoteName" : "Sample Paxata Okta SuperUsers Group",
      "paxataName" : "SuperUser"
   }
  ]
  1. Save file as samlconfig.json.
  2. See help text of the script to find out what are the necessary arguments
./onprem_samlconfig.sh –h
  1. Run the script. For example: 
   ./onprem_samlconfig.sh -n "SAML Tenant" -s TH1taFvlC2BAMzZGFuqimetLZiZAiactujX1ohmvp/8= -t TH1taFvlC2BAMzZGFuqimetLZiZAiactujX1ohmvp/8= -c https://orange.mycompany.com -m samlconfig.json -o paxata-sp-metadata.xml -i mycompany-idp-metadata.xml
  1. Now you can login to the SAML Tenant using the URL below. Note that this URL is your unique entry point to this SAML tenant. Once connected, you should see a Continue button in Paxata UI. Click that and you will be redirected to your IDP’s SSO page to login your credential.

https://orange.mycompany.com

Sign In or Register to comment.