SAML Authentication in Jedox

Jedox offers native support for SAML 2.0 (Security Assertion Markup Language), which is an XML-based, open standard data format for exchanging authentication and authorization data between parties, particularly between an identity provider (IdP), such as OKTA and ADFS, and a service provider (SP). SAML simplifies the login process by enabling users to access many services with a single sign-on (SSO), which is accomplished through SAML elements packets passed between the service provider (Jedox software) and the identity provider (external entity or party), configured based on SP and IdP metadata.

Single sign-on (SSO) allows you to sign on with one set of credentials and gain access to multiple applications and services. SSO increases security and provides a better user experience by reducing the number of required accounts/passwords and providing simpler access to all the apps and services needed. With Jedox, you only need to set up the Third Party Relying Trust. Authentication can be used in Jedox Web and in clients such as the Excel Add-in.

Activating SAML in Jedox

1. Contact your Jedox sales representative to purchase the service.

2. Choose the implementation that suits you best: SAML-Authorization or SAML-Authentication, to enable Jedox processing of SAML logins in the desired way.

• SAML in Authentication mode

For the authentication mode, users, user groups, and group role assignments must be defined in the Jedox In-Memory DB. Thus, both group assignment and user creation must be done manually. When a Jedox user logs in, Jedox receives the username and SAML attributes of the already verified SAML user, and uses these credentials to decide whether the user can access the In-Memory DB, returning true or false. If true (default behavior), the user must already exist in the In-Memory DB system with the correct group mapping. If false, the user will be rejected by the In-Memory DB. This behavior is similar to that of SSO authentication mode.

• SAML in Authorization mode

This mode is better suited for an application with a larger number of users, as it eliminates the need to manually define users in the Jedox In-Memory DB, leaving this task to the Jedox system instead. In this mode, only group-role assignments need to be defined, using the default mechanism of authorizing a user login by assigning a user group. Jedox receives the username and SAML attributes of the already verified SAML user, and uses these credentials to decide whether the user can access the In-Memory DB (returning true or false), and to which Jedox groups this user belongs. This behavior is similar to that of SSO authorization mode.

3. For the creation of the metadata XML, below are the necessary details from Jedox:

   • Identifier (Entity ID): https://<cloud-id>.cloud.jedox.com/be/saml.php
   • Reply URL (Assertion Consumer Service URL): https://<cloud-id>.cloud.jedox.com/ui/login/
   • Sign-on URL: https://<cloud-id>.cloud.jedox.com/ui/login/
   • Sign-out URL: https://<cloud-id>.cloud.jedox.com/ui/logout/

   The <cloud-id> is a placeholder for your individual Jedox instance and must be replaced accordingly.

4. Add Jedox as a service provider in your corresponding identity provider (IdP) with the details provided in the previous step.

5. Once the application is created, our Support engineers will need the saml-idp-metadata to complete the implementation. The saml-idp-metadata points to the XML metadata path of the identity provider in the form of a URL or file.
   

An example that designates the identity provider as Azure:

saml-idp-metadata "https://login.microsoftonline.com/1506ab1d-5566-43z5-b5b567f22e31f41/federationmetadata/2018-12/federationmetadata.xml"

An example that designates the identity provider as Salesforce:

saml-idp-metadata "https://user-dev-ed.my.salesforce.com/.well-known/samlidp.xml"

6. Approximately 30 minutes of service downtime is required for the implementation.

7. Contact Jedox Support for the implementation. Specify in your email the mode you want to implement, the XML metadata (preferably as a URL), and a timeframe for the downtime.

SAML in Excel COM Add-in

Once SAML has been enabled in Jedox, users can choose the SAML Authentication mode to log in to Excel COM Add-in. When the authentication procedure is initiated, a SAML authentication window will pop up, required for the web-based login to the service provider. For this, the Excel host must allow pop-up dialogs to be displayed.

SAML in Jedox Add-in for Excel 365

Similar to the Excel Add-in, logging in with SAML SSO in Jedox Add-in for Excel 365 requires SAML to be enabled in your Jedox instance (supported versions only). In addition, the Add-in authorization endpoint URL must be included to the redirect URLs in your tenant settings (e.g. Microsoft Azure AD). For this, add the following Add-in authorization endpoint URL: https://xladdin-prod.cloud.jedox.com/api/auth as an additional Reply URL. The redirect URLs can be added only by tenant administrators.

For instances where the saml-idp-metadata was previously implemented from a file, once the endpoint URL is included to the redirect URLs, the saml-idp-metadata for that instance will need to be replaced.

Note that the browser must allow pop-up dialogs to be displayed, otherwise an "Error" will be thrown.

SAML in Jedox Mobile App

Jedox Mobile supports SAML authentication for iOS and Android.

Jedox Mobile App uses the credentials given by and configured in Jedox Web, which are stored encrypted in the Jedox Server. To log in, Jedox Mobile sends the entered credentials to the Jedox Web instance, which then decides whether to allow access to the data or not.

SAML in Jedox OData Hub

SAML is not yet supported in Jedox OData Hub. To access the OData Hub while SAML is enabled, you will need an existing non-SAML user with a password.

Manual login option: NOSSO (No Single Sign-On)

When SAML SSO is configured for a Jedox instance, users who are outside of the organization may need to manually log in, bypassing SSO. To do so, simply add the flag ?nosso to the login URL for Jedox Web, e.g. https://<serveraddress>/ui/login/?nosso, to enable username / password authentication.

The NOSSO option is enabled by default on all Jedox instances. To prevent users from bypassing SSO, contact Jedox Support to disable NOSSO. Disabling NOSSO will disable username / password authentication as well. This feature is available for Jedox Web, Jedox Mobile App, and Excel COM Add-in.

Logout handling

Enabling SAML (single) logout means that during logout, you will be logged out of both Jedox and the identity provider. The next time you login to Jedox, you will have to authenticate in the identity provider again. Note that SAML logout may not be supported by the identity provider.

To enable single logout, contact Jedox Support.

Updated November 4, 2024