Enterprise customers using a dedicated or on-premises Backtrace instance can configure Backtrace to authenticate with Single Sign-On (SSO) via a SAML provider.
Identity provider configuration
First, the identity provider configuration should be completed. The Entity ID should be set to https://saml.backtrace.io (for Backtrace hosted instances) and the Name ID should be set to primary email.
Backtrace configuration
On premise (self hosted) note: This functionality requires on premise deployments to install and run the backtrace-saml package and service.
Logged in as user with the Admin role, navigate to Main menu | Organization settings | Single sign-on.
Here, users are able create a configuration with the information below
- Required
- Entity ID (issuer): ID for the Service provider. By default, hosted Backtrace tenants will have a value of https://saml.backtrace.io for the Entity ID. This setting needs to be the same in your identity provider's configuration.
- SSO URL: URL pointing to Identity provider
- Callback URL: URL for Identity provider to post SAML payload to service provider (Backtrace). Format should follow the template of https://saml.backtrace.io/api/sso/saml/{backtrace hostname}
- Example: https://saml.backtrace.io/api/sso/saml/organization.sp.backtrace.io
- Optional
- User provisioning: User provisioning, if enabled, allows the SAML SSO service to create a Backtrace user on the return of a successful assertion from the identity provider.
- Admin contact: email contact that will display upon SSO login failure, to direct users to appropriate SSO resources within the organization.
- SAML request private key: Identity provider's private key for signing SAML requests. Includes signature algorithm and private key.
- Certificate: Identity provider's public signing certificate used to validate the signatures of SAML Responses. Includes public certificate and private key.
- Private key: Private key that will be used to attempt to decrypt any encrypted assertions from identity provider.
Once the configuration is saved, a "Test configuration" button can be used to verify.
User management and authentication
Under Organization settings | Users, administrators are able to edit users' authentication methods. If SSO is configured, then any existing Backtrace user will be able to log in via SSO and their authentication method specified, if it's different than saml. If a user's authentication method is set to saml, then they will only be able to log in via SSO.
Troubleshooting
- Make sure encrypted assertions are disabled within your SAML Provider configuration.
- Make sure you're using primary email address as your NameID format.
- Make sure that your certificates are properly configured within saml.json and have the proper CNAMES for your backtrace-saml host.
- On premise: if you are seeing the error "Failed to login - Internal Error", make sure the IP address if your backtrace-saml service host is listed within the
authenticated
section of coronerd.conf.