Rescale recently rolled out SAML Single Sign-On login support for our ScaleX Enterprise users. This post will discuss how to set up Rescale as a SAML Service Provider, using Azure Active Directory as the Identity Provider.
Prerequisites to follow the tutorial below are that you have ScaleX Enterprise and Microsoft Azure accounts.
SAML is an authentication protocol used for web single sign-on (SSO). There are 2 entities involved in a SAML deployment:
Identity Provider (IdP) The entity that manages your users’ credentials. Its role is to authenticate users with passwords or other types of keys.
Service Provider (SP) The entity that provides end user applications. It relies on the Identity Provider to authenticate users.
This Wikipedia page has far more detail, but the SAML protocol roughly consists of the following steps:
- User tries to access a resource from the Service Provider and the provider needs to authenticate that user
- Service Provider redirects the user to the IdP’s SSO endpoint with a user identifier
- IdP redirects the user to its own login page if the user is not currently authenticated with the IdP
- IdP responds with authentication and redirects user back to the SP’s Assertion Consumer Service (ACS)
- SP ACS verifies the authentication came from the IdP and logs the user in on the SP
- SP redirects the user to the originally requested resource if they are authorized to access it
Note that while the Identity Provider manages the authentication of the user, the Service Provider still imposes its own authorization rules on that user. Also note that the Identity Provider and Service Provider never exchange the users’ secret key information but instead the Service Provider is just allowed to ask the Identity Provider about the identity of the user currently logged into the web client.
In this tutorial, the Identity Provider will be an Azure Active Directory and the Service Provider will be Rescale.
The configuration we will outline has 3 high-level chunks:
- Set up a new Azure Active Directory as a test IdP
- Add your Rescale as an authorized SP to access your new IdP
- Set up your ScaleX Enterprise account to authorize your new IdP
Creating a test Azure Active Directory SAML Identity Provider
For completeness, we will start by setting up a test of Azure Active Directory. If you already have an AD set up for your organization, you can probably skip ahead to the “Authorizing Rescale as an SP” section.
Start by logging into the Azure management. Go to the Active Directory section and create a new directory with the +NEW button in the bottom left corner.
Select DIRECTORY and CUSTOM CREATE
Fill in the fields to create your new directory. The NAME and DOMAIN NAME can be the same but should be unique across directories in your organization.
At this point, you have just created a new Active Directory. You can now add users to your directory. Select the directory you just created and choose the USERS tab at the top.
Your Azure user should already in the user list for this directory. Add another user by selecting ADD USER at the bottom.
Select “User with an existing Microsoft account” and add an email of the user from your domain you wish to add. Fill out additional profile information on the next page and then save the new user.
At this point, we have an Active Directory with one or more users. The next step is to tell our AD to allow Rescale to query for users to authenticate.
Authorizing Rescale as a Service Provider
The Identity Provider must now be told to allow Rescale to query it for logged-in user information.
Select the APPLICATIONS tab at the top and then select ADD at the bottom. Pick “Add an application my organization is developing.”
Name your application to whatever you like and set it to be a “WEB APPLICATION AND/OR WEB API”.
On the next page, you start to configure the important bits of your Service Provider application. You should set your SIGN-ON URL to “https://www.rescale.com/route/saml2/company ID/sso/” and your APP ID URI to “https://www.rescale.com/route/saml2/company ID/”. Your company ID is generally just the name of your company but you can contact support to verify this. In this example, we are adding users using the company code “rescale”.
Next we need to set a few additional properties and get the IdP endpoints the Rescale Service Provider will use. Go to CONFIGURE tab and scroll down to the REPLY URL. Set the URL to “https://www.rescale.com/route/saml2/company ID/acs/” and then SAVE the change.
Next, let’s note the endpoints we will need to configure our Rescale account to use this IdP. You should copy these endpoints:
- SAML-P SIGN-ON ENDPOINT
- SAML-P SIGN-OUT ENDPOINT
- FEDERATION METADATA DOCUMENT
Next, we need to retrieve the Azure entity ID it uses to identify itself with the Service Provider and the X509 certificate it uses to sign SAML responses.
Open up another tab in your browser and go to the FEDERATION METADATA DOCUMENT URL you just copied. Copy both the “entityID” attribute and the first “X509Certificate” element in the document.
At this point, we have everything we need from the Azure console. It is time to move over to the Rescale platform to configure your Service Provider.
Authorize your Identity Provider in ScaleX Enterprise
Open up a new tab and log into https://www.rescale.com/route/jobs as a company administrator. Select Company Administration in the top right user drop-down menu, then select the Settings tab and scroll down to the “SSO (Single Sign-On)” section.
You can now fill in the relevant fields here:
Service Provider saml:NameID Format attribute: For Azure, this should be set to “urn:oasis:names:tc:SAML:2.0:nameid-format:persistent”
Name of Identity Provider email field in ACS response: For Azure, should be set to “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress”
Identity Provider EntityDescriptor Entity ID: This should be set to the “entityID” value copied from the Azure metadata.
Identity Provider SingleSignOnService URL: This should be set to “SAML-P SIGN-ON ENDPOINT” from the Azure endpoint list.
Identity Provider public X509 certificate: This should be filled with the X509 certificate copied from the Azure metadata. You should ensure there are no line breaks in the middle of the certificate contents.
Note that the first two fields are the same regardless of your particular AD deployment but the last 3 are different and are based the values you captured above. These three values will differ from what is shown in the screenshot.
Check the following checkboxes:
- Encrypt NameID
- Sign AuthnRequests
For your initial test, you should also select “Create any user who can authenticate with SSO”. More on this in the next section.
Then click Update SSO Settings. With that, you should be able to log your user in using your AD IdP! To test it, log out of Rescale via the upper right user drop down. Go to the Rescale SSO login page and try to log in as one of the users you authorized by your Active Directory provider.
SP vs. IdP initiated login and invites
Users of your ScaleX Enterprise account can log in with SSO through either of these endpoints:
IdP initiated logins https://www.rescale.com/route/saml2/company ID/sso/
SP initiated logins https://www.rescale.com/route/login/sso/
The former is the more “direct” link. It redirects straight to your IdP SSO URL and does not require the user to enter any credentials on Rescale’s side. The second page takes a user email and then tries to route the user to the correct Identity Provider. This page is meant for users that start by going directly to https://www.rescale.com/route/jobs but still want to log in with SSO.
As mentioned in the previous section, you can choose to either allow any user authenticated by your IdP to log into Rescale under your organization, or you can only allow users to create Rescale accounts who have been explicitly invited. In order to enforce the invite-only restriction, you should go back to the SSO settings section in the Rescale Company Administration panel and select “Only create invited users” and save those settings. Now to invite users, go to the Members tab at the top, click “Invite Members”.
You can then enter a list of emails of the IdP authenticated users you want to enable access for on Rescale. These users will then be sent invitation emails with the IdP initiated login mentioned above.
At this point, you should have a secure Active Directory configured to allow Single Sign-On on Rescale. You can now manage your users access to Rescale by either controlling user authorization in the Rescale Company Administration portal or controlling user authentication to Rescale via your Active Directory.