Single Sign On
CloudBeaver Enterprise supports Federated Authentication for SSO (Single Sign-On) access into the application. Your provider must support SAML to access the application.
Enabling SAML authentication
Go to the Administration menu and enable SAML in the Server configuration tab.
Configuring external identity provider
Go to the Identity Providers tab and create a new configuration using the SAML IdP (Identity Provider) details.
Configuring CloudBeaver integration in external identity provider
Open the created configuration and download the metadata file.
Go to the SAML IdP website and add the metadata parameters from the file (entityID and Location) to the SSO access settings, assign users and add the attribute mappings according to the SAML IdP requirements.
Each identity provider has its own configuration procedure, we will show how to do it in AWS in the next chapter.
AWS SSO configuration
You can upload metadata file (which you downloaded in the previous chapter) to fill parameters automatically.
Or you can specify parameters manually:
|Application ACS URL|
|Application SAML audience|
Where HOST_NAME is the host name of your CloudBeaver installation, CONFIG_ID is the identifier of your SAML configuration.
|Subject||User unique identifier (nameId). It is usually an email address.|
|Session duration in seconds. 1800 (30 minutes) is the default value|
|roleARN,idpARN||IAM role identifier|
Role is the most important attribute, it defines which IAM role will be used for user federation session. Role format: roleARN,idpARN
You can get role ARN in AWS IAM section https://console.aws.amazon.com/iamv2/home#/roles
Role ARN looks like this:
You can get IDP ARN in AWS identity providers page https://console.aws.amazon.com/iamv2/home#/identity_providers
IDP ARN looks like this:
Configuring AWS proxy account
In order to provide users permission to your AWS cloud resources (RDS, DynamoDB, etc) you need to configure AWS federated access proxy user.
You can more information find here: Configuring SAML assertions for the authentication response.
Go to the AWS Settings tab and enable the Federated authentication.
Add the Proxy User on the same page. You can set the current user or add a new one.
When an AWS user is logged into CloudBeaver using SSO, it has the Proxy User and the IAM user's identity-based permissions. Actual permission set and user role are configured in attribute mappings of SAML integration.
CloudBeaver does not keep your authentication information on the server-side and in configuration files. Once your session expires, you will need to authenticate again. When a user logs out from the application, CloudBeaver also performs a session logout from SAML IdP.
Testing SAML authentication
The new SAML tab becomes available after creating the configuration in the CloudBeaver authentication dialog. This is where the user can select the configuration and thereafter login into the application using SSO.