SAML2 Single Sign-On Authentication
For authentication with SAML2. You will need at least:
-
The SAML SSO URL (Entry Point)
-
The certificate provided by the identity provider
Authentication Activation
- Add configuration with JSON file and/or other environment variables (see below)
- Download the SAML Service Provider (SP) Metadata file from
/api/auth/saml2/metadata and use it to register Botium in your identity
provider - this file looks like this and it is bound to the Botium
URL:
<?xml version="1.0"?> <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="botiumbox-<botium-box-url>" ID="botiumbox_botium_box_url"> <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat> <AssertionConsumerService index="1" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="<botium-box-url>/api/auth/saml2/callback"/> </SPSSODescriptor> </EntityDescriptor>
Botium will now show an additional option Sign in with Single Sign-On on the Login screen.
Tip: It is still possible to use the internal Botium authentication, which is often used for administrative access.
Passport-SAML Options
-
The option fields holding certificates (cert, privateKey, decryptionPvk) are treated as relative filenames, or they can hold the certificate data itself (one line, no headers/footers)
-
The Botium specific connectivity fields (protocol, host, path) are filled automatically and you shouldn't overwrite it without a good reason
-
The issuer is also filled automatically and can be overwritten here
Configuration with JSON File and Environment Variables
{
"options": {
"entryPoint": "https://sso.jumpcloud.com/saml2/botiumdevlocal",
"cert": "jumpcloud.pem"
},
"logoutRedirectUrl": "https://console.jumpcloud.com/userconsole",
"autoCreateUser": true,
"autoCreateRole": "GUEST",
"propUsername": "nameID",
"propEmail": "email",
"propGroupNames": "memberOf",
"group2Role": {
"Administrator": "ADMIN",
"Manager": "TESTMANAGER",
"Tester": ["TESTER", "GUEST"]
},
"user2Role": {
"admin": "ADMIN"
}
}
JSON Configuration Reference
Name | Type | Required | Description | Notes | On-premise Environment Variables |
logoutRedirectUrl | string | Optional | User is redirected to this URL on Botium Logout (in case of SSO) | This url is typically given by the SSO provider. If no url is given there will be no redirect | BOTIUMBOX_PASSPORT_LOGOUT_REDIRECTURL |
autoCreateUser | boolean | Optional | True/false - let Botium automatically create user records that do not yet exist. | Default is “true” | BOTIUMBOX_PASSPORT_SAML2_AUTOCREATE_USER ("1" => true). |
autoCreateRole | string | Optional | A role name that is automatically assigned to all created user records. | Default is “GUEST” | BOTIUMBOX_PASSPORT_SAML2_AUTOCREATE_ROLE. |
propUsername | string | Optional | SAML attribute name holding the username, which is used to look up the User records in Botium. | Default is “nameID” | - |
propEmail | string | Optional | SAML attribute name holding the email. | Default is “email” | BOTIUMBOX_PASSPORT_SAML2_PROPERTY_EMAIL. |
propGroupNames | string | Optional | SAML attribute name holding the group or role names. They are mapped to Botium roles (see below). | Default is “memberOf” | BOTIUMBOX_PASSPORT_SAML2_PROPERTY_GROUPS. |
group2Role | Object | Required | A mapping from the SAML2 groups or roles to Botium roles. | Can have these values - ADMIN, GUEST, TESTER, TESTMANAGER | BOTIUMBOX_PASSPORT_SAML2_GROUP2ROLE. |
user2Role | Object | Required | A mapping from the SAML2 user names to Botium roles. | Can have these values - ADMIN, GUEST, TESTER, TESTMANAGER | BOTIUMBOX_PASSPORT_SAML2_USER2ROLE |