SAML SSO for Squirro
SAML SSO for Squirro#
Security Assertion Markup Language (SAML) is an open standard for single sign-on (SSO) authentication and authorization.
It can be used to log in to Squirro via an identity provider, such as Microsoft ADFS or Google.
SAML Single Sign-On can be enabled by following the steps below:
Set up the identity provider.
Provide a metadata file to Squirro
Enable SAML Single Sign-On within the Squirro application.
See the following guides for specific SSO setups:
To configure an identity provider, the following information is generally required:
Callback URL (or ACS URL):
https://SQUIRRO/sso/callback(URL of your Squirro installation plus the path
Primary Email, or similar
Configure SAML Metadata#
The identify provider should provide you with a metadata XML file. To configure SAML Single Sign-On with that file, go to the
Server space in Squirro and in the navigation on the left select
Single Sign-On (SAML).
In the setup screen that you now see, check the
Enabled checkbox and select the metadata XML file for upload.
For security reasons, the final configuration needs to be done directly on the server. Log into the server using SSH or similar means and edit the file
/etc/squirro/frontend.ini. Then append the following lines at the end:
[security] sso_enabled = true sso_endpoint = http://localhost:81/studio/extauth_saml/extauth
Reduce HTTP Session#
By default, Squirro will keep user sessions for 30 days, surviving browser restarts as well.
In a Single Sign-On environment, this should be changed to the session expiring once the user restarts the browser. This can be achieved by changing
/etc/squirro/frontend.ini and adding the following lines:
[frontend] session_permanent = false