This article provides instructions on how to set up Single Sign-on (SSO) on the 5.3.3+ Delphix Engine. Delphix Engines (Masking and Virtualization) versions 5.3.3+ support authentication via the SAML 2.0 standard (SP initiated and Idp Initiated). SLO (Single log-out) is not supported. This means that logging out of a Delphix Engine will not terminate sessions on other Delphix Engines, nor will it terminate the IDP session.
Identity Provider Configuration
The steps to configure an Identity Provider (IdP) are specific to each IdP product (e.g. Okta, OneLogin, PingFederate). The terminology may vary, but one SAML 2.0 application (or SP connection) will need to be created for each Delphix Engine. The engine does not expose a metadata document. The following attributes must be entered:
- ACS URL (Assertion Consumer Service URL): http(s)://<delphix-engine>/sso/response
- Delphix strongly recommends that HTTPS is used instead of HTTP for all UI and API communication with the Delphix Engine. For HTTPS or the automatic HTTP to HTTPS redirect, use the https:// scheme in the ACS URL, otherwise use the http:// scheme. Refer to the CLI Cookbook: Changing HTTP and HTTPS Web Connections article on how to set up HTTPS.
- SAML Bindings: Delphix Engines support the POST and Redirect bindings.
- Audience Restriction (SP entity ID, Partner’s Entity ID): The audience restriction must be set to the entity id configured in the Delphix Server via the Delphix Setup (see below). The default value is https://<Delphix Server ID> where <Delphix Server ID> is a 36-character hexadecimal string of the form xxxxxxxx-xxxx-xxxx-xxxxxxxxxxxx. See Determining the Delphix Server ID and Host Name for more on the Delphix Server ID.
- If the Delphix Engine does not exist or is unreachable, enter a temporary value (such as delphix-sp-id) to later be replaced by the actual Delphix Server ID.
- Signature policy: The Delphix Engine does not sign authentication requests; it requires that either the responses, assertions, or both are signed.
- Name ID: The SAML NameID attribute must be set to the email address of the user. See the User Management When SSO is Enabled section below.
for more information.
The SP initiated flow must be enabled in the IDP.
New Engine Configuration
Follow this procedure when installing a new Delphix Engine.
- Connect to the Delphix Engine at
http://<DelphixEngine>/login/index.html#serverSetup. The Delphix Setup application will launch when connecting to the server.
- Enter the sysadmin login credentials; this account has a default username of sysadmin and password of sysadmin.
- In the Authentication step of the Delphix Setup wizard, check the use SAML/SSO box and enter the required information:
- The entity id is a unique identifier of the Delphix Engine for Single Sign-On providers. The default value is https://<Delphix Server ID>, where <Delphix Server ID> is a 36-character hexadecimal string of the form xxxxxxxx-xxxx-xxxx-xxxxxxxxxxxx. This is just an identifier; there is no resource at that URL. This value can be changed to any string, but note that some identify providers require this to have a URL format.
- The IdP metadata is an XML document that must be exported from the application created in the IdP (see Identity Provider Configuration).
- Optional Advanced settings include the response skew time which is the maximum time difference allowed between a SAML response and the engine's current time, in seconds. If not set, it defaults to 120 seconds. The maximum age of IdP authentication indicates how far in the past to accept authentications to the identity provider, in seconds. If not set, it defaults to 86,400 seconds (one day).
- Complete the remaining setup steps as usual.
Existing Engine Configuration
Follow this procedure to enable SSO on an already configured engine.
- Connect to the Delphix Engine at
http://<DelphixEngine>/login/index.html#serverSetup. The Delphix Setup application will launch once connected to the server.
- Enter the sysadmin login credentials.
- In the Authentication tile, select Modify.
- In the Authentication dialog, check the use SAML/SSO box, then enter the entity id (if not using the default), IdP metadata, and the optional advanced time settings (described in New Engine Configuration).
If this is an upgraded engine, make sure the engine type is set from the banner of the ServerSetup application dashboard.
User Management When SSO is Enabled
Access to the Delphix Setup application is not affected by the use of SSO, it only affects access to the Delphix Management Application and Masking Application. When SSO is enabled, authentication to the Delphix Management Application or Masking Application UIs are performed via SAML/SSO instead of a combination of username and password. Non-administrators can no longer change their email address.
An administrator must create a Delphix user for each user to whom access via SSO must be granted. The Delphix user can be used to assign roles and permissions. The email address of the Delphix user is used to match users authenticated via SAML/SSO and must be set to the exact value defined in the IdP. This same value is used in the NameID attribute of the SAML response. Supported NameID formats are
If multiple Delphix users share an email address, all Delphix users will have access to the SAML/SSO session.
Neither the API access for use in scripts and integrations nor the Virtualization CLI access requires SSO. Instead, username and password (optionally with LDAP integration) authentication must be used for API or CLI access. When SSO is enabled on a Delphix Engine, new users by default will have no API access and no password. Administrators can enable API access for any user through the User Management or Masking UIs. The user’s password or LDAP credentials are used for API authentication.
Users created before enabling SSO will maintain their API access enabled. Users with API access but no email address are useful for scripts or integration via the API - they cannot be used to log in via the UI. When SSO is enabled, only administrators can change or set email addresses.
A user with API access may also log in via SAML into an SSO-enabled engine through the UI when they have an email set.
If authentication via SSO fails with a message stating that the issue time is either too old or in the future, the error is due to the time on the Delphix Engine not being in sync with the time of the Identity provider server. If the time on the Delphix Engine is not correct, correct the time settings manually or configure NTP. Alternatively, update the response skew time parameter (see Existing Engine Configuration).
If authentication via SSO fails with a message stating that the authentication to the identity provider is too old, re-authenticate with the identity provider or adjust the maximum age parameter (see Existing Engine Configuration).