Use SAML Just-in-Time User Provisioning in a SAML SSO Environment
If you are using an isolated domain (see Default and Custom Domains) and have Single Sign-On (SSO) based on SAML (Security Assertion Markup Language, see SAML SSO with GoodData), you can use SAML Just-in-Time (JIT) provisioning.
With JIT, you do not have to create and configure users in advance. JIT creates users when they log in for the first time. When a user tries to log in to the GoodData platform with SSO, a GoodData account is automatically created for them and the user is granted access to the specified GoodData workspace. The user’s details and the ID of the GoodData workspace to grant access to are provided as part of Identity Provider metadata.
Enable Just-in-Time User Provisioning
If you do not yet have SAML SSO implemented, do the following:
- Configure the SAML SSO service for your domain. If you have multiple SSO providers using the Identify Provider-initiated configuration, you can have JIT provisioning enabled for some or all of them.
- When configuring an SSO environment on your side, configure your Identity Provider to send SAML assertions with JIT attributes.
RelayState
The RelayState
parameter specifies the URI in GoodData where the user is redirected after a successful login.
The RelayState
parameter is case-sensitive and must be sent in the body of a HTTP POST request. The value of the RelayState
parameter must be an absolute URL.
For information about constructing URLs pointing to specific embedded dashboards using the workspace ID or a combination of the client ID and data product ID, see Embedding Code Formats.
SAML Response Assertion
GoodData processes the first valid Assertion
element in the SAML response. An Assertion
element is valid when it is signed and has valid subject
, conditions
and issuer
child elements.
If signing assertions is disabled for the domain, the whole SAML response must be signed.
The AttributeStatement
element that contains provisioning attributes must be included in the same Assertion
element where the subject
element is included.
Because the first valid Assertion
element is retrieved and used, multiple Assertion
elements are not supported.
Example: SAML Message
The following is an example of the SAML message with the mandatory SAML attributes provided and project.id
that is used to identify the workspace where users should be provisioned.
In GoodData, terms workspace and project denote the same entity. For example, project ID is exactly the same as workspace ID. See Find the Workspace ID.
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xs="http://www.w3.org/2001/XMLSchema" Destination="https://{your-subdomain-name}.on.gooddata.com/gdc/account/samllogin" ID="RESPONSE_ID" IssueInstant="2018-11-01T12:24:36.280Z" Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">ISSUER_ID</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#RESPONSE_ID">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:DigestValue>DIGEST_VALUE</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>SIGNATURE_VALUE</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>CERT_VALUE</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="RESPONSE_ID" IssueInstant="2018-11-01T12:24:36.280Z" Version="2.0">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">ISSUER_ID</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#ASSERTION_ID">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:DigestValue>ASSERTION_DIGEST_VALUE</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>SIGNATURE_VALUE</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>CERT_VALUE</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">GOODDATA_USER_LOGIN</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData NotOnOrAfter="2018-11-01T12:29:36.280Z" Recipient="https://{your-subdomain-name}.on.gooddata.com/gdc/account/samllogin" />
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2018-11-01T12:19:36.280Z" NotOnOrAfter="2018-11-01T12:29:36.280Z">
<saml2:AudienceRestriction>
<saml2:Audience>GoodData</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2018-11-01T12:24:36.280Z" SessionIndex="ASSERTION_ID">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute Name="jit" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">true</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="project.id" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">PROJECT_ID</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="user.firstname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">FIRST_NAME</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="user.lastname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">LAST_NAME</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
The following is an example of the AttributeStatement
element that uses the dataproduct.id
and client.id
SAML attributes to identify the workspace:
<saml2:AttributeStatement>
<saml2:Attribute Name="jit" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">true</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="dataproduct.id" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">DATA_PRODUCT_ID</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="client.id" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">CLIENT_ID</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="user.firstname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">FIRST_NAME</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="user.lastname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">SECOND_NAME</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>