You are viewing our older product's guide. Click here for the documentation of GoodData Cloud, our latest and most advanced product.

Setting up Auth0 Single Sign-On

Auth0 is a third-party authentication service that enables users to be automatically logged in to GoodData seamlessly. When you implement Auth0 in your GoodData domain, users of your workspace can access GoodData without using GoodData-specific credentials.

For more information on Auth0, see https://auth0.com/. For more information on GoodData and SSO, see Single Sign-On Overview.

GoodData uses the SAML protocol for exchanging information with Auth0.

This article provides instructions for configuring Auth0 authentication for your GoodData domain.

This article refers to various elements of the Auth0 user interface and is based on the version of the Auth0 application as of August 8, 2019. Since that date, the Auth0 application may have changed. If you need help with navigating through the Auth0 user interface, see the Auth0 user documentation.

Configure SSO

Access the API endpoints through your GoodData subdomain https://{your-subdomain-name}.on.gooddata.com{style=""}. For example, https://example.on.gooddata.com{style=""}. If your workspaces use whitelabeling, use your domain address. For example, https://example.com{style=""}.

Steps:

Log in to your Auth0 Dashboard, go to the Application section, and create a new application for GoodData. When prompted to select the application type, select Regular Web Applications.
In the newly created application, go to the Settings tab. Copy the values in the Domain and Client ID fields, and save them for later use.
Go to the Add-ons tab, and toggle SAML2 Web App. The popup dialog appears.

In the Application Callback URL field, enter the callback URL:

https://{your-subdomain-name}.on.gooddata.com/gdc/account/samllogin

In the Settings section, update the SSO settings as follows:

{
  "audience": "GoodData",
  "recipient": "https://{your-subdomain-name}.on.gooddata.com/gdc/account/samllogin",
  "mappings": {
    "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
  },
  "signatureAlgorithm": "rsa-sha256",
  "nameIdentifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
  "nameIdentifierProbes": [
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
  ],
  "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
}

You can use SHA-256 or higher digital signature algorithms and digest algorithms as part of the assertion.

SHA-1 is not supported (see SHA-1 Signature for SAML).

Save the changes.
Go to the Usage tab, and do the following:
1. Copy the value in the Identity Provider Login URL field, and save it for later use.
2. Download the IdP metadata file.
3. (Optional) Download the Auth0 certificate.
Close the popup dialog, and go back to the Settings tab of the GoodData application.
In the Allowed Callback URLs field, enter the application callback URL (see Step 4) and the Identity Provider login URL (see Step 7a):
```
https://{your-subdomain-name}.on.gooddata.com/gdc/account/samllogin, {idp_login_url}
```
In the Allowed Web Origins field, enter the URL pointing to your application portal (optionally, include the port). For example:
```
https://example.com:8000
```
Save the changes.
Determine which SSO scenario you are configuring and follow the relevant instructions:
- If configuring for a Service Provider-initiated scenario, see SAML SSO with GoodData - Service Provider-initiated Scenario.
- If configuring for an Identity Provider-initiated scenario, see SAML SSO with GoodData - Identity Provider-initiated Scenario.
If you chose to use the Identity Provider-initiated SSO scenario, test the configured SSO to make sure you can log in to the GoodData workspace using your Auth0 credentials. Otherwise, the configuration process is completed.

Test the SSO Configuration

Testing the SSO configuration is relevant only if you chose to use the Identity Provider-initiated SSO scenario.

Steps:

Create an HTML page using the following code (replace the CLIENT_ID, DOMAIN, and IDENTITY_PROVIDER_LOGIN_URL placeholders with your values, see Steps 2 and 7a in the previous procedure):

<!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML>
<BODY>
<p> Click on the button to log in </p>
<script src="https://cdn.auth0.com/js/lock/11.14/lock.min.js"></script>
<script type="text/javascript">
  var lock = new Auth0Lock('CLIENT_ID', 'DOMAIN',{
        auth: {
          redirectUrl: 'IDENTITY_PROVIDER_LOGIN_URL',
          responseType: 'token',
          params: {scope: 'openid'}
        }
    });
  function signin() {
    lock.show();
  }
</script>
<button onclick="signin()">Login</button>
</BODY>
</HTML>

Log in to your Auth0 Dashboard, go to the Application section, and open the GoodData application.
Go to the Settings tab.
In the Allowed Web Origins field, enter the localhost URL with the port that you are going to use for testing purposes, for example:
```
https://127.0.0.1:8000
```
Save the changes.
Open the HTML page in a web browser using the localhost URL:
```
https://127.0.0.1:8000/{page}.html
```
When opening the HTML page, use any web server to set the origin for the HTTP request. If you open the page from the local file, the connection will fail because it does not have a valid request origin.
The page with the Login button opens.
Click Login. The Auth0 login page opens.
Log in to Auth0 as usual. Auth0 authenticates you, and you are redirected to your GoodData workspace. The SSO configuration works as expected. You and your users can now access the GoodData workspace using Auth0 SSO.
Go back to the GoodData application in your Auth0 dashboard.
On the Settings tab, remove the localhost URL from the Allowed Web Origins field, and save the changes.

Setting up Okta Single Sign-On

Configure Identity Provider with Salesforce