Configure OverOps to validate users via SAML to access environments with the same owner

OverOps Experts
, , ,
1

Problem:

How do we configure OverOps to allow SSO users access to the available environments after logging in via SAML?

Solution:

Validate that the following listed properties are configured in the my.server.properties configuration file and the values are set accordingly.

Note: All settings must be configured in the my.server.properties file located under /<INSTALL_PATH>/takipi-server/conf/tomcat/shared/ directory.

GLOBAL_DOMAIN_AUTH_ENABLED=true
GLOBAL_DOMAIN_AUTH_TYPE=SAML
  • Enables the backend to utilize SAML SSO to authenticate users via IdP.

GLOBAL_DOMAIN_AUTH_SAML_IDP_METADATA_FILE=/full/path/to/saml_metadata.xml

  • Location of the metadata that is provided by the IdP. The full path to the metadata file must be provided.

GLOBAL_DOMAIN_INITIALIZER=<email_of_environment_owner>

  • Sets the backend server to use a domain initializer. The domain initializer will be the owner for all available environments, which should all be the same email address to ensure all available environments will be eligible to be provided access if the user’s SAML response matches to the environment name and role accordingly.
LDAP_SAML_EMAIL_FIELD_NAMES=email;mail
LDAP_SAML_FIRSTNAME_FIELD_NAMES=gn;givenName;firstName
LDAP_SAML_LASTNAME_FIELD_NAMES=sn;surName;lastName
LDAP_SAML_PHONE_FIELD_NAMES=telephoneNumber;phone;telephone;phoneNumber
  • Sets the appropriate values mapped from the users’ information within the IdP’s application to be displayed properly within OverOps. If not used, field names will be populated with the alias portion of the email address.

Optional:

AUTH_DOMAIN_ENV_ROLE_SEPARATOR=<special_character>

  • Adding this parameter assigns a different separator (such as a colon [:]) to be used. If this property is not used within the properties file, a blank space will be used as the default separator between the environment and role that is passed within the SAML response.

SAML_BASIC_SSO_MODE_DEFAULT_ROLE=<Role>

  • Applies the role in which a user will be assigned when logging in for the first time. The role can be set either as Admin , Member (default if this parameter is not used), or Viewer . Best practice is not to set as Admin.

Explanation:

This setup ensures that users are being authenticated via SAML. All users will be given access to the OverOps website provided the application is available to them.

If the domain initializer is set as owner for any environments within OverOps, the users who login will gain access to the same environments as either Member (default) or the specified role set with the optional SAML_BASIC_SSO_MODE_DEFAULT_ROLE= parameter.

For explanation on each of the parameters being used, please refer to the following docs:
On Premises Configuration of SAML
4.53 SAML Security Updates