Many years ago I had the unforgettable experience of being exposed to Oracle Single Sign On (SSO) on a number of occasions. The basic idea is that you log in once to a web page and you can use different web applications without re-authenticating. I never saw it work properly, and I learned to go diving for cover whenever it was mentioned.
Roll forward many years and here I am sitting in a meeting when I’m told we are using SAML, go make it work. Not knowing any better I said, sure I’ll see what I can do. First question to resolve was what exactly is SAML? I’m more of a watch the movie than read the book person, so I found a very helpful, but dull YouTube video on the subject. At the end of this it dawned on me it was SSO with another name, but at this point it was too late to look for cover. Thankfully, I discovered that technology can mature over time. So, I started searching and found an Identity Provider (IdP), this is a piece of software that acts as a trusted login and authentication service.
SAML = Security Assertion Markup Language, and as much as Vic hates using Wikipedia for definitions they do seem to have the easiest to read option.
The parameters of my search for an IdP were that it needed to:
- support SAML 2.0,
- be Open Source,
- be simple to use
- provide more useful features that we could enable long term (things like OAuth, MFA, OpenID ).
So, my quick research on Google and Wikipedia found some possible contenders. These were Keycloak, Shibboleth and Gluu Server. Gluu incorporates Shibboleth into their technology stack providing a wrapper making it easier to manage and set up. This meant I didn’t investigate Shibboleth any further. Keycloak is a JBoss project but I felt the product needed more low-level management than the Gluu Server offering. Both products had wider feature set that could be leveraged at a later date. Gluu has been developed as an Open Source product with a paid enterprise version which includes support and high availability features.
With Gluu as the evaluation product chosen the next step was to prove that it would work. Our test case was implementing SAML with Qlik Sense to test that it would work and the effort involved. A follow-up blog will cover the steps to install Gluu and enable SAML on Qlik. Standing up my first Gluu server on AWS took a better part of a day to install. However, if I needed to do so again it could be easily done in a hour. Integration with Qlik took half a day of head scratching in regard to the correct settings but still surprising easy steps needed once we got it working.
There is still a lot more work to be done in regard to the evaluation before I can say this is the definitive solution for us. There are things such as customisation of the login page, AD syncronisation/replacing the default LDAP service, but it’s a promising start.
Ben writes blogs about the technical side of BI the code, all the code and not much other than the code.
You can read all of Ben’s blog here.
Don’t forget, we can train your team in the art of agile business intelligence at any time!