SAML authentication

This section assumes you have access to an already-configured SAML 2.0 identity provider (IdP). For guidance setting up an IdP, see Configure Dash Enterprise to use common SAML IdPs.

To configure Dash Enterprise to use a SAML 2 IdP for authentication, choose Use SAML for authentication and configure as follows:

1. Choose an option for the IdP (remote) metadata from the following:

   1. Enter a URL to the IdP (remote) metadata

   2. Provide a file containing the IdP (remote) metadata

   3. No IdP (remote) metadata is available yet: select this if your IdP requires the Dash Enterprise service provider (SP) metadata before it can generate IdP metadata

      • This is an intermediary step and authentication will not work with it enabled

      • When you have configured your IdP, you must return to the Dash Enterprise Settings and choose one of the other IdP metadata options to proceed

2. Copy the SP (local) metadata URL displayed to use to configure your IdP

   • If your IdP requires a metadata file instead of a URL, download the file by visiting this URL in your browser after Dash Enterprise has started

3. Use name_id from IdP as Plotly Username: leave checked unless you need to use another attribute from your IdP as the username

   • Username values must be 1 to 31 characters long (inclusive) and may contain only alphanumeric characters plus:

     • _ (underscore)

     • . (period)

     • - (hyphen)

   • To use a different attribute as a username, uncheck this option and enter the attribute name in the field that appears

4. Choose an SSL certificate option that will be used for the signing certificate and, if you also check Enable encryption when communicating with the IdP, for the encryption certificate as well (Dash Enterprise uses a different certificate set for SAML from what it uses for SSL)

   1. Automatically generate local certificates and keys for SAML: Dash Enterprise will generate self-signed certificates and keys the next time it restarts, to be used for SAML signing and encryption

   2. Provide files containing local certificates and keys: you will need to upload a signing certificate and key, as well as an encryption certificate and key if you enable encryption

5. Check Enable Signed AuthnRequests if your IdP requires this

6. If your IdP uses a self-signed certificate for SSL, choose Disable SSL certificate validation when communicating with the IdP to suppress certificate warnings

7. For additional debugging information during setup, enable the Enable SAML Debugging option

   • Not recommended for production due to the large amount of data generated

8. To restrict user licensing creation to a specific LDAP group, enable Restrict licenses based on LDAP/SAML group membership option and enter the name of the group

   • This group name should match the information sent as the “groups” attribute in the IdP’s SAML assertion

9. If desired for testing, you can check Enable authentication logs to make authentication logs available via a secret URL

   • Not recommended for production, since authentication logs may contain confidential data