Version

    SAML Authentication

    Since version 5.2, CloverDX Server supports single sign-on (SSO) by the SAML 2.0 protocol.

    However, the authorization is still handled by the CloverDX Server security module, so the user must be registered as a CloverDX user and their username must be the same as the username on identity provider's (IdP) side.

    By default CloverDX Server allows only its own internal mechanism for authentication. To enable authentication with SAML, set the configuration property security.authentication.allowed_domains properly. The value of the property is a list of user domains that are used for authentication, e.g.: security.authentication.allowed_domains = clover,saml

    When set as in the example above, users from both domain may login. (clover is an identifier of CloverDX internal authentication and may be changed by the security.default_domain property, but only for white-labeling purposes.) It's recommended to allow both mechanisms together, until the SAML is properly configured,

    Note: if the property is set as in the example above and you want to login using the CloverDX Server credentials, use the noSSO parameter in the CloverDX Server URL, for example: http://localhost:8083/clover?noSSO

    SAML authentication can be set in the configuration file, using the following properties:

    Table 21.1. SAML Authentication Properties

    NameDescription
    security.saml.idp_metadata_url

    The URL to retrieve the identity provider's metadata. The metadata contains values of security.saml.idp_* properties.

    security.saml.metadata.idp_entity_idThe preferred provider entity ID if the metadata contain more than one IdP.
    security.saml.metadata.name_id_format

    If available on the IdP metadata, use that nameIdFormat. NameID formats are:

    urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
    urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
    urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
    urn:oasis:names:tc:SAML:2.0:nameid-format:transient

    security.saml.sp_entity_idThe identifier of the service provider (SP) entity, must be a URI.
    security.saml.sp_assertion_consumer_urlThe URL location where the <Response> from the IdP will be returned.
    security.saml.sp_nameid_formatSpecifies constraints on the name identifier used to represent the requested subject.
    security.saml.idp_entity_idThe identifier of the IdP entity, must be a URI.
    security.saml.idp_sso_service_urlThe URL target of the IdP where the SP will send the Authentication Request Message.
    security.saml.idp_x509certThe Public x509 certificate of the IdP.
    security.saml.idp_x509cert_multi.0An additional public certificate.
    security.saml.idp_slo_service_urlThe URL target of the IdP where the SP will send the LogutRequest message.
    security.saml.require_logout_response

    Determines whether a logout response is required to invalidate a local session on the CloverDX Server.

    Can be set to true or false.


    [Note]IdP initiated Single Logout Support

    CloverDX Server does not support IdP initiated single logout.