Yarkon Server SAML Single Sign On

Yarkon Server supports single-sign-on using the standard SAML2 protocol. That means that you can set up Yarkon to work with your Identity Provider system, so that end users could log into their Yarkon client web application, using their enterprise provisioned and managed passwords.

Identity Provider Initiated flow

The SAML flow used by Yarkon is the Identity Provider Initiated flow (CC BY-SA 3.0):

Yarkon Admin Console Set-up

Use the Yarkon Admin Console to set up your SAML integration with the Identity Provider system you use in your company:

If your Identity Provider system supports it, you can use the Metadata from Yarkon and ingest it directly. Otherwise, you can manually enter the required details:

  • The Callback URL is the Yarkon end point the Identity Provider should call once identity is confirmed. It will be auto populated for you, based on the host name you designated for the Yarkon server in your environment.
  • The IdP Login URL is the end point in the Identity Provider domain Yarkon should defer to. It depends on the system you have. In this sample, using our Auth0 provider, the end point is https://yarkons3.auth0.com/samlp.
  • The IdP Public Cert is the security key used to ensure the communication between all parties of the system is secure and is not tampered with. It must be PEM-encoded X.509 format, and will be available for you from the Identity Provider interface once you set up the integration.

When you are done, Save the settings in Yarkon, and you should be all set. When users are now trying to access the main application page of Yarkon, they would be redirected to the login page presented by the Identity Provider. It should properly handle their session information as well. Once login is verified, through the redirect scheme described in the image above, the Yarkon Web Application would be opened.

Identity Provider Set-Up

The set-up on the IdP side depends on the one you have. Yarkon expects one of the following SAML attributes to be used:

  • upn
  • email
  • name_id
    The value passed it must be the username used in Yarkon, the email of the user.

Note that the standard Name Id attribute should be used if you are setting up for the SP initiated SAML process, as it is required for session handling.