SSO Connections
Authenticating with SSO
Service provider | Okta | OneLogin | ADFS | AzureAD |
Amazon S3 | Y | Y | Y | |
Azure Blob Storage | ||||
Azure Data Lake Store Gen1 | ||||
Azure Data Lake Store Gen2 | ||||
Azure Data Lake Store Gen2 with SSL | ||||
Google Drive | ||||
OneDrive | ||||
Box | ||||
Dropbox | ||||
SharePoint Online SOAP | Y | Y | Y | |
SharePoint Online REST | ||||
Wasabi | ||||
Google Cloud Storage | ||||
Oracle Cloud Storage | ||||
Azure File |
AzureAD
Azure AD Configuration
The main theme behind this configuration is the OAuth 2.0 On-Behalf-Of flow. It requires two Azure AD applications:
- An application used for the single sign-on process to a specific service provider.
- Amazon S3: Please follow this link for detailed instructions on how to create this application. Make sure you test the connection and you are able to login to the AWS console from Azure AD.
Save the step "Assign the Azure AD test user" until after provisioning so that you can select the AWS roles when assigning the user.
- Amazon S3: Please follow this link for detailed instructions on how to create this application. Make sure you test the connection and you are able to login to the AWS console from Azure AD.
- A "connector" application with user_impersonation permission on the SSO application you created in the previous step. Go to Azure Active Directory > App registrations and register a new application. After you register this application, you need to allow it to make API calls to the SSO application. Go to the API permissions section of the app you registered and click the "Add a permission" box. Select the API of your SSO application by specifying the API name or Application Id and add the user_impersonation permission.
CData Driver Common Properties
The following SSOProperties are needed to authenticate to Azure Active Directory and must be specified for every service provider.
- Resource: The application Id URI of the SSO application, listed in the Overview section of the app registration.
- Tenant: The Id of the Azure AD tenant where the applications are registered. You can find this value using the instructions found here.
We will retrieve the SSO SAML response from an OAuth 2.0 On-Behalf-Of flow so the following OAuth connection properties must be specified:
- OAuthClientId: The application Id of the connector application, listed in the Overview section of the app registration.
- OAuthClientSecret: The client secret value of the connector application. Azure AD displays this when you create a new client secret (Certificates & secrets section).
Amazon S3
In addition to the common properties, the following properties must be specified when connecting to Amazon S3 service provider:
- AuthScheme: Set the AuthScheme to AzureAD.
- AWSRoleARN: The ARN of the IAM role. Find this on the Summary page of the IAM role.
- AWSPrincipalARN: The ARN of the identity provider. Find this on the identity provider's summary page.
AuthScheme=AzureAD;InitiateOAuth=GETANDREFRESH;OAuthClientId=d593a1d-ad89-4457-872d-8d7443aaa655;OauthClientSecret=g9-oy5D_rl9YEKfN-45~3Wm8FgVa2F;SSOProperties='Tenant=94be7-edb4-4fda-ab12-95bfc22b232f;Resource=https://signin.aws.amazon.com/saml;';AWSRoleARN=arn:aws:iam::2153385180:role/AWS_AzureAD;AWSPrincipalARN=arn:aws:iam::215515180:saml-provider/AzureAD;
OneLogin
OneLogin Configuration
You must create an application used for the single sign-on process to a specific provider.
- Sharepoint SOAP: Please follow this link for detailed instructions on how to create this application. Make sure you test the connection and you are able to login to Office 365 from OneLogin. Make sure you have enabled WS-TRUST in your application. Otherwise, the CData driver will not be able to connect.
Sharepoint SOAP
The following properties must be specified when connecting to Sharepoint SOAP service provider:
- AuthScheme: Set the AuthScheme to OneLogin.
- User: The username of the OneLogin account.
- Password: The password of the OneLogin account.
- SSOProperties:
- Domain (optional): It may be required to be set this property if the domain configured on the SSO domain is different than the domain of the User.
AuthScheme='OneLogin';User=test;Password=test;SSOProperties='Domain=test.cdata;';
Okta
Okta Configuration
You must create an application used for the single sign-on process to a specific provider.
- Sharepoint SOAP: Please follow this link for detailed instructions on how to create this application and configure SSO. Make sure you test the connection and you are able to login to Office 365 from Okta. Make sure you have configured SSO using WS-Federation in your application. Otherwise, the CData driver will not be able to connect.
- Amazon S3: Please follow this link for detailed instructions on how to create this application and configure SSO. Make sure you test the connection and you are able to login to AWS from Okta. Make sure you have configured SSO with SAML 2.0 in your application. Otherwise, the CData driver will not be able to connect. Ensure that the assigned AWS role in the Okta app has access to the S3 bucket you want to connect.
Sharepoint SOAP
The following properties must be specified when connecting to Sharepoint SOAP service provider:
- AuthScheme: Set the AuthScheme to Okta.
- User: The username of the Okta account.
- Password: The password of the Okta account.
- SSOProperties:
- Domain (optional): It may be required to be set this property if the domain configured on the SSO domain is different than the domain of the User.
AuthScheme='Okta';User=test;Password=test;SSOProperties='Domain=test.cdata;';
Amazon S3
The following properties must be specified when connecting to an Amazon S3 service provider:
- AuthScheme: Set the AuthScheme to Okta.
- User: The username of the Okta account.
- Password: The password of the Okta account.
- SSOLoginURL: Set this to the embedded URL of your AWS Okta SSO app.
- AWSRoleARN (optional): The ARN of the IAM role. Find this on the Summary page of the IAM role.
- AWSPrincipalARN (optional): The ARN of the identity provider. Find this on the identity provider's summary page.
- SSOProperties:
- APIToken (optional): Set this to the API Token that the customer created from the Okta org. It should be used when authenticating a user via a trusted application or proxy that overrides Okta client request context.
AuthScheme=Okta;User=OktaUser;Password=OktaPassword;SSOLoginURL='https://{subdomain}.okta.com/home/amazon_aws/0oan2hZLgQiy5d6/272';
ADFS
ADFS Configuration
You must create an application used for the single sign-on process to a specific provider.
- Sharepoint SOAP: Please follow this link for detailed instructions on how to set up ADFS for Office 365 for Single Sign-On. Make sure you test the connection and you are able to login to Office 365 from ADFS.
- Amazon S3: Please follow this link for detailed instructions on how to set up ADFS for AWS Single Sign-On. Make sure you test the connection and you are able to login to AWS from ADFS.
Sharepoint SOAP
The following properties must be specified when connecting to a Sharepoint SOAP service provider:
- AuthScheme: Set the AuthScheme to ADFS.
- User: The username of the ADFS account.
- Password: The password of the ADFS account.
- SSOProperties:
- Domain (optional): It may be required to be set this property if the domain configured on the SSO domain is different than the domain of the User.
AuthScheme='ADFS';User=test;Password=test;SSOProperties='Domain=test.cdata;';
Amazon S3
The following properties must be specified when connecting to a Sharepoint SOAP service provider:
- AuthScheme: Set the AuthScheme to ADFS.
- SSOLoginURL: Set this to the URL of your ADFS instance.
- User: The username of the ADFS account.
- Password: The password of the ADFS account.
- AWSRoleARN (optional): The ARN of the IAM role. Find this on the Summary page of the IAM role.
- AWSPrincipalARN (optional): The ARN of the identity provider. Find this on the identity provider's summary page.
AuthScheme=ADFS;User=username;Password=password;SSOLoginURL='https://sts.company.com';ADFS Integrated
The ADFS Integrated flow indicates you are connecting with the currently logged in Windows user credentials. To use the ADFS Integrated flow, simply do not specify the User and Password, but otherwise follow the same steps in the ADFS guide above.