We previously briefly covered the updates to XLCubedWeb to support single sign-on using SAML 2.0, in this blog we will go through the process needed to setup SSO in XLCubedWeb using Okta and the steps required to map the users through to cube-defined roles in Analysis Services.
The first step is to setup a new application in Okta, make sure you are in “Classic UI” mode and click the Applications tab and then “Create New App”.
Set the platform to “Web” and the sign on method to “SAML 2.0”
Give the app a name and optionally pick a logo to display when signing on.
Configure the SAML settings, the URL is in the form of: http://server/xlcubedweb/webform/auth.aspx and must match the form the users will be entering in the browser. Use “XLCubedWeb” for the entity ID.
Continue through the remaining screens and the download the provider metadata, this will be needed later.
Now we can define the roles in Okta this is done by adding a new attribute to the standard “Okta” user profile and then adding some attributes to the SAML response.
Go to Directory => Profile Editor and edit the profile for the “Okta” user.
Add a roles attribute
Go back to the application and edit the SAML Settings, we can optionally add different attributes to pass through to XLCubedWeb. For Analysis Services controlled user access we just need the EffectiveRole one, to map through to XLCubedWeb roles we can also use the Roles attribute. The value is set to “user.roles”.
Now for a particular user we can define the roles we want to use (this can come from a variety of sources but we will enter it manually for simplicity sake).
Now we need to create the relevant roles in Analysis Services and assigned the required permissions
Now we need to configure XLCubedWeb, the first step is to set the application pool or the anonymous user to run as a domain account that is either an Admin in Analysis Services or a Cube Admin.
Now using the XLCubedWeb Config app, we can setup to use a custom provider and click the configure button to finalise setup
Click the “Import Provider XML” and use the file downloaded from the application setup earlier. Ensure “Redirect” is selected and click apply, close the form and click “Apply” on the authentication tab.
Now we just need to setup the SQL Repository, ensure you have already created the database and that the current logged on user is SA.
Enter the connection details and click connect to create the database. Enabled “Role based”
Click “Administration” and then Admin => Roles. Create the roles and assign the required permissions.
You can see more about the different options around this on the wiki page.