SAML SSO for Squirro

Security Assertion Markup Language (SAML) is an open standard for single sign-on (SSO) authentication and authorization.

It can be used to log in to Squirro via an identity provider, such as Microsoft ADFS or Google.

Overview

SAML Single Sign-On can be enabled by following the steps below:

1. Set up the identity provider.

2. Provide a metadata file to Squirro

3. Enable SAML Single Sign-On within the Squirro application.

Setup Guides

See the following guides for specific SSO setups:

• ADFS Setup

• Azure Active Directory Setup

• Google SAML Setup

• Okta SAML Setup

Identity Provider

To configure an identity provider, the following information is generally required:

• Entity ID: https://sso.squirro.com/o/saml2/entity

• Callback URL (or ACS URL): https://SQUIRRO/sso/callback (URL of your Squirro installation plus the path /sso/callback)

• Name ID: Email, Primary Email, or similar

Configure SAML Metadata

The identify provider should provide you with a metadata XML file. To configure SAML Single Sign-On with that file, go to the Server space in Squirro and in the navigation on the left select Single Sign-On (SAML).

In the setup screen that you now see, check the Enabled checkbox and select the metadata XML file for upload.

Enable SSO

For security reasons, the final configuration needs to be done directly on the server. Log into the server using SSH or similar means and edit the file /etc/squirro/frontend.ini. Then append the following lines at the end:

[security]
sso_enabled = true
sso_endpoint = http://localhost:81/studio/extauth_saml/extauth

Reduce HTTP Session

With Single Sign-On enabled, Squirro recommends reviewing the session expiration parameters. See Reducing Session Lifetime for information.