Configure User Authentication in MATLAB Online Server

To authenticate user access in MATLAB^® Online Server™, you must configure an identity provider (IdP) that MATLAB Online Server can use to authenticate and allow users. The IdP allows the use of user credentials for the organization through a user name/password prompt or single sign-on, depending on the type of identity provider configured.

At least one IdP must be configured to sign in to MATLAB Online Server. When you issue the command to generate overrides, the command generates a configuration for the IdP of type local (see Local for details) with the user name admin and password that are defined in install.config.

To apply the IdP configuration, edit the settings in the file <matlab_online_server_install_dir>/overrides/<cluster>/<namespace>/authnz.yaml. For example, /opt/matlab_online_server/overrides/matlab-online-server/mathworks/authnz.yaml.

Identity Provider

Identity Provider Specification

Field	Default Value	Required or Optional	Description
`identityProviders`	`[]`	Required	List of identity providers configured for use with MATLAB Online Server

In YAML format:

identityProviders:
-	"<list of identity provider configurations>"

Field	Default Value	Required or Optional	Description
`name`	`""`	Required	Name of the identity provider
`displayName`	`""`	Optional	How the identity provider's name is displayed, specified using characters `A-Z`, `a-z`, and `0-9`, with the symbols `_`, `-`, or `.` in between these characters. The maximum `displayName` can be 63 characters long.
`type`	`""`	Required	The type of the identity provider. Based on the type, the identity provider properties vary; see next section.

Identity Provider Types

MATLAB Online Server supports the following types of identity providers:

LOCAL
OAuth 2.0 and OIDC
MSAL
LDAP
SAML

Local

The LOCAL (local) identity provider type sets up the accounts that are in memory. For this identity provider, the accounts must be defined with the properties shown in the following table.

Field	Default Value	Required or Optional	Description
`subjectId`	`""`	Required	User ID or username for the account
`displayName`	`""`	Required	Display name for the account
`password`	`""`	Required	Account password
`groups`	`[]`	Optional	Groups that the user is associated with Example: `["group1","group2"]`
`extra`	`{}`	Optional	Extra metadata that can be added to the user account when they sign in. Do not leave any field in the `extra` section empty. Either specify a value or remove the empty field. If your `extra` section is empty, omit the section entirely. For the LOCAL identity provider only, enclose each metadata value in square brackets, `[]`. Example: `{uid: ["1001"], department: ["MATLAB Online Server"]}`

Values in the settings for groups and extra are user-defined and not validated in any way.

In YAML format:

identityProviders:
  - id: "local"
    type: "local"
    displayName: "local"
    accounts:
      - subjectId: "admin"
        displayName: "Admin"
        password: "admin"
        groups: ["admin"]
        extra: {}
      - subjectId: "stateful"
        password: "stateful"
        extra: {}

OAuth 2.0 and OIDC

OAuth 2.0 is an authorization protocol that allows third-party applications such as MATLAB Online Server to access resources on behalf of a user by obtaining an access token.

OpenID Connect (OIDC) is an authentication protocol that layers additional functionality on top of OAuth 2.0, most importantly an additional ID token containing user identification information. MATLAB Online Server does not currently support this ID token and instead requires a user information endpoint from the OAuth 2.0 protocol described in the OpenID specification.

To integrate MATLAB Online Server with an OAuth 2.0 and OIDC identity provider (IdP) the identityProviders configuration supports the extra properties shown in the table.

Field	Default Value	Required or Optional	Description
`id`	`""`	Required	Specifies an identifier for this `identityProviders` configuration.
`type`	`""`	Required	Identity provider type. For the OAuth 2.0 provider, `type` must be `"oauth"`.
`clientId`	`""`	Required	Client identifier, which must be the same as the client identifier specified in the IdP. Note The supplied Kubernetes^® secret must be the client secret associated with this `clientId`.
`oidc`	`""`	Optional (Required if `authorizationLocation`, `tokenLocation`, and `graphLocation` are not specified)	Specifies a URL that MATLAB Online Server uses to look up the authorization, token, and user endpoints required by the OIDC protocol. Specify these subfields: `enabled` — Set this subfield to `true` to enable specifying the URL from which to look up the endpoints. If you set this subfield to `false` or omit the `oidc` field, specify these endpoints in the `authorizationLocation`, `tokenLocation`, and `graphLocation` fields. `discoveryUrl` — URL used to look up the endpoints. Get this URL from your identity provider. This URL typically contains `/.well-known/` in the path. `retryMode` — Mode that the `authnz` service uses to fetch OIDC information from `discoveryUrl` after an unsuccessful attempt, specified as one of these strings: `"retry"` (default) — Fetch information from `discoveryUrl` every 2ⁿ seconds (1, 2, 4, and so on). If the `authnz` service is unable to fetch information after 64 seconds, Kubernetes might restart the service after a few minutes. `"bypass"` — Perform no operation and log any error messages. `"panic"` — Send a "panic operation" to Kubernetes so that it attempts to restart the pod. The `authnz` service then attempts to fetch the OIDC information again after restarting. You must specify either the `oidc` field or the `authorizationLocation`, `tokenLocation`, and `graphLocation` fields, but not both. Example: oidc: enabled: true discoveryUrl: https://host/.well-known/... retryMode: "bypass"
`authorizationLocation`	`""`	Optional (Required if `oidc` is not specified)	Specifies the authorization endpoint described in https://datatracker.ietf.org/doc/html/rfc6749#page-18. If you set the `oidc` field to look up this endpoint from a discovery URL, omit this field. Example: `authorizationLocation: "https://keycloak.example.com/realms/example-realm/protocol/openid-connect/auth"`
`tokenLocation`	`""`	Optional (Required if `oidc` is not specified)	Specifies the token endpoint described in https://datatracker.ietf.org/doc/html/rfc6749#page-18. If you set the `oidc` field to look up this endpoint from a discovery URL, omit this field. Example: `tokenLocation: "https://keycloak.example.com/realms/example-realm/protocol/protocol/openid-connect/token"`
`graphLocation`	`""`	Optional (Required if `oidc` is not specified)	Specifies the user information endpoint described in https://openid.net/specs/openid-connect-core-1_0.html#UserInfo. This endpoint must use the HTTPS protocol and can include port, path, and query parameters. If you set the `oidc` field to look up this endpoint from a discovery URL, omit this field. Example: `graphLocation: https://keycloak.example.com/realms/example-realm/protocol/openid-connect/userinfo`
`redirectpath`	`"/authnz/oauth/code"`	Optional	Specifies the path portion of the redirection endpoint described in https://datatracker.ietf.org/doc/html/rfc6749#page-18. With the default value, the result will be `https://fully-qualified-domain-name-of-mos-install/authnz/oauth/code`. Example: `redirectpath: "/authnz/oauth/code"`
`secretName`	`"oauth-client"`	Optional	Specifies the Kubernetes secret used to specify the secret associated with the `clientId`.
`secretKey`	`"secretFile.yaml"`	Optional	Specifies the name of the field in the Kubernetes secret used hold the secret value. Example: This example shows the sample contents of a secrets YAML file. apiVersion: "v1" kind: "Secret" metadata: name: "oauth-client" data: secret: "amwXbWYtcmVhbG0XZ2VjcmV0" To add this secret file to the Kubernetes cluster, use this command. `kubectl apply -f "secretFile.yaml"`
`scopes`	`"user.read,openid,profile,email"`	Optional	Comma-separated list of scopes that OAuth 2.0 protocol has. Do not insert a space after each comma.
`pkce`	`""`	Optional	The `pkce` field enables you to extend the OAuth 2.0 protocol and use the proof key for code exchange (PKCE) protocol for authentication. The `pkce` field has these subfields. `enabled` — Set this subfield to `true` to enable PKCE. To disable PKCE, set this subfield to `false` or omit the `pkce` field. `challengeMethod` — Challenge method used to encode the authentication string sent between MATLAB Online Server and the identity provider, specified as `"S256"` (SHA256 encoding—default if you omit this field) or `"plain"` (plain-text encoding—not recommended). `challengeLength` — Length of the authentication string, specified as an integer from `32` to `96`. If you omit this field, the default string length is 32 characters. For more details on PKCE, see https://auth0.com/docs/flows/authorization-code-flow-with-proof-key-for-code-exchange-pkce. Example: pkce: enabled: true challengeMethod: "S256" challengeLength: 32
`subjectAttributeMapping`	`{}`	Optional	Mapping between the keys in the OpenID Connect claims to values needed by MATLAB Online Server. Enclose each `subjectAttributeMapping` field value in quotes. Valid fields are as follows: subjectAttributeMapping: displayName: "displayNameClaimKey" subjectId: "subjectIdClaimKey" groups: "groupsClaimKey" extra: email: "emailClaimKey" uid: "userIdClaimKey" gid: "groupIdClaimKey" `displayName` — Controls the key that the IdP uses to specify the username in the MATLAB Online Server user interface. `subjectId` — Default mapping field for the user account. This value comes from the OpenID Connect claims. This name is also used when checking out a license from the license server. Consequently, the license server log contains the value associated with this key in the claim. `groups` — Defines the key used by the IdP to identify the values for what groups the user belongs to. You can use these values in the `allowedGroups` field of the `matlab-pool` YAML file to restrict MATLAB access to specific user groups. `extra` — Customization fields relating to the network file system (NFS): `email` — Email address of user `uid` — Mapping to a UNIX^® user ID (UID) `gid` — Mapping to a UNIX group ID (GID) Do not leave any field in the `extra` section empty. Either specify a value or remove the empty field. If your `extra` section is empty, omit the section entirely.

This authnz.yaml file shows a sample OIDC specification.

replicaCount: 1
identityProviders:
  - id: "oauth"
    type: "oauth"
    clientId: "example-realm-oidc"
    authorizationLocation: "https://example-keycloak.example.com/realms/example-realm/protocol/openid-connect/auth"
    tokenLocation: "https://example-keycloak.example.com/realms/example-realm/protocol/openid-connect/token"
    graphLocation: "https://example-keycloak.example.com/realms/example-realm/protocol/openid-connect/userinfo"
    scopes: "openid,profile,roles"
    subjectAttributeMapping:
      subjectId: "preferred_username"
      displayName: "preferred_username"
      groups: "groups"
      extra:
        email: "email"
        uid: "uidNumber"
        gid: "gidNumber"

The graphLocation, the user information endpoint, returns a JSON response similar to the following:

{\"sub\":\"269e67a3-877a-4525-9c88-fb8707ac7a93\",\"randomAttribute\":\"user1RandomAttribute\",
\"resource_access\":{\"account\":{\"roles\":[\"manage-account\",\"manage-account-links\",
\"view-profile\"]}},\"email_verified\":false,\"groups\":[\"non-gpu\",\"user\"],
\"preferred_username\":\"user1\",\"given_name\":\"user1_FirstName\",
\"realm_access\":{\"roles\":[\"non-gpu\",\"user\"]},\"uidNumber\":\"7777\",
\"name\":\"user1_FirstName user1_LastName\",\"gidNumber\":\"7777\",
\"family_name\":\"user1_LastName\",\"email\":\"user1@example.com\"}

The license server logs an entry similar to the following:

21:52:53 (MLM) OUT: "MATLAB" user1@mathworks-matlab-pool-7b775bc559-ct2vv

Additionally, the MATLAB Online Server user interface displays "user1" as the username.

If other attributes passed as claims from the IdP must show up in the license server logs and MATLAB Online Server user interface, then update the mapping. For example, suppose you use randomAttribute instead of preferred_name for the license log entry and the username in the user interface.

identityProviders:
  - id: oauth 
    type: oauth 
    clientId: ex-realm-oidc 
      authorizationLocation: https://ex-keycloak.matlabonlineserver.com/realms/ex-realm/protocol/openid-connect/auth
      tokenLocation: https://ex-keycloak.matlabonlineserver.com/realms/ex-realm/protocol/openid-connect/token
      graphLocation: https://ex-keycloak.matlabonlineserver.com/realms/ex-realm/protocol/openid-connect/userinfo
      scopes: "openid,profile,roles"
      subjectAttributeMapping:
        subjectId: "randomAttribute"
        displayName: "name"
        groups: "groups"
        extra:
          email: "email"

The license server will contain an entry similar to the following:

21:52:53 (MLM) OUT: "MATLAB" user1RandomAttribute@mathworks-matlab-pool-7b775bc559-ct2vv

The MATLAB Online Server user interface displays "user1_FirstName user1_LastName" as the username.

Because the value set for the groups field in the sample subjectAttributeMapping above and the associated values of the claims returned by the IdP, the user is allowed to access a matlab-pool configuration with the following in the associated matlab-pool.yaml file.

resourceDefinition:
  allowedGroups:
  - "gpu"

MSAL

The Microsoft^® Security Authentication Library (MSAL) software package provides simplified configuration options for the OAuth 2.0 and OIDC authentication protocols. If you host the identity provider in Azure^®, you can use this authentication method as a more streamlined alternative to the standard OAuth 2.0 and OIDC methods. If you want to delegate access to Azure storage resources in MATLAB Online Server, then you must use MSAL. For more details on Azure delegation, see Enable Access to Azure Storage Using Delegation.

Field	Default Value	Required or Optional	Description
`clientId`	`""`	Required	Client ID value. Enclose the client ID in quotes.
`tenantId`	`""`	Required	Tenant ID value. Enclose the tenant ID in quotes.
`clientType`	`"confidential"`	Optional	Type of OAuth 2.0 and OIDC client, specified as one of these values. `"confidential"` (default) — Confidential client, which requires deploying your client secret as a Kubernetes secret on the server. You can obtain the client secret from your identity provider hosted in Azure. `"public"` — Public client, which does not require deployment of a Kubernetes secret.
`redirectPath`	`"/authnz/msal/code"`	Optional	Specifies the path portion of the redirection endpoint described in https://datatracker.ietf.org/doc/html/rfc6749#page-18.
`scopes`	`"https://graph.microsoft.com/.default"`	Optional	Comma-separated list of scopes used to obtain login and user information. Do not insert a space after each comma.
`useGroups`	`false`	Optional	When set to true, the MATLAB Online Server authentication service expects groups returned in the ID token (`IDToken`) returned by the identity provider. You must configure your ID token to include groups. For more details, see Configure groups optional claims (Microsoft).
`subjectAttributeMapping`	`{}`	Required	Mapping between the keys in the OpenID Connect claims to values needed by MATLAB Online Server. Enclose each `subjectAttributeMapping` field value in quotes. Valid fields are as follows: subjectAttributeMapping: displayName: "displayNameClaimKey" subjectId: "subjectIdClaimKey" groups: "groupsClaimKey" extra: email: "emailClaimKey" uid: "userIdClaimKey" gid: "groupIdClaimKey" `displayName` — Controls the key that the IdP uses to specify the username in the MATLAB Online Server user interface. `subjectId` — Default mapping field for the user account. This value comes from the OpenID Connect claims. This name is also used when checking out a license from the license server. Consequently, the license server log contains the value associated with this key in the claim. `groups` — Defines the key used by the IdP to identify the values for what groups the user belongs to. You can use these values in the `allowedGroups` field of the `matlab-pool` YAML file to restrict MATLAB access to specific user groups. `extra` — Customization fields relating to the network file system (NFS): `email` — Email address of user `uid` — Mapping to a UNIX user ID (UID) `gid` — Mapping to a UNIX group ID (GID) Do not leave any field in the `extra` section empty. Either specify a value or remove the empty field. If your `extra` section is empty, omit the section entirely.

This authnz.yaml file shows a sample MSAL specification. Any attributes that use default values can be omitted.

identityProviders:
  - id: msal
    type: msal
    displayName: "msal"
    clientId: "<client ID>"
    tenantId: "<tenant ID>"
    clientType: "confidential"
    redirectPath: "/authnz/msal/code"
    scopes: "https://graph.microsoft.com/.default"
    useGroups: false
    subjectAttributeMapping:
      subjectId: "oid"
      displayName: "preferred_username"
      groups: "groups"
      extra: {}

LDAP

Lightweight Directory Access Protocol, also known as LDAP, is used to manage user identities. Identity management for MATLAB Online Server can apply user information from sources that you specify. The LDAP (ldap) identity provider type provides access control and tells MATLAB Online Server how to map user information tables to user information that MATLAB Online Server needs to manage these users.

For more about LDAP settings, visit https://ldap.com/.

The LDAP identity provider type requires extra properties, shown in the following table:

Field	Default Value	Required or Optional	Description
`host`	`""`	Required	Specifies the host address for the LDAP, for example: `"ldapserver.yourcompany.com"`.
`port`	`""`	Required	Specifies the LDAP port at the host address, for example: `"389"` for regular LDAP and `"636"` for secure LDAP.
`useStartTls`	`false`	Optional	Specifies if your LDAP server requires start TLS for connection. You must add the trusted certificates to the MATLAB Online Server trust store. See Add Certificates to MATLAB Online Server Trust Store.
`useSsl`	`false`	Optional	Specifies if your LDAP server requires SSL for connection. You must add the trusted certificates to the MATLAB Online Server trust store. See Add Certificates to MATLAB Online Server Trust Store.
`baseDn`	`""`	Required	Specifies the starting point for the search tree in your LDAP environment. For example: `"dc=ldap,dc=yourcompany,dc=com"`
`filter`	`""`	Required	Specifies an LDAP search filter. Use the search filter to scan a subset of users from the LDAP database. This allows you to reduce the scope of the LDAP search and control which organizational user may access MATLAB Online Server. You can leverage variable substitution to configure how the username is provided to LDAP, for example: `"(CN={0})"`. Specify the search filter as `attribute=value`, for example, `CN=test*` matches all users that have a common name (CN) attribute that starts with `test`. Use parentheses to combine multiple filter expression in an AND (&) or OR (\|) clause. For example, `"(&(CN={0})(department=foo))"` matches all users that are in department `foo`. The default search filter is `objectClass=organizationalPerson`. For more information on search filters, see LDAP filters at `https://ldap.com/ldap-filters`.
`adminDn`	`""`	Required	Specifies the administrator account used to establish the connection to the LDAP server, for example: `"cn=readonly"`. This account is used to query LDAP for the list of users. The account requires only read access to the directory and does not attempt to store information back into LDAP.
`adminPassword`	`""`	Required	Specifies the administrator account password used to establish the connection to the LDAP server.
`subjectAttributeMapping`	`{}`	Required	Mapping between your internal LDAP values to values needed by MATLAB Online Server. For example, your user’s first name might be stored as `displayFirstName` in the LDAP system. To map this value in MATLAB Online Server set `displayName: "displayFirstName"`. Enclose each `subjectAttributeMapping` value in quotes. Valid fields are as follows: subjectAttributeMapping: subjectId: "subject_id" displayName: "display_name" groups: "groups" extra: email: "email_address" uid: "uid_number" gid: "gid_number" `displayName` is an optional attribute that controls what is displayed for the username in the upper-right corner of MATLAB Online Server. The `subjectId` is the default mapping field for the user account, normally “cn”. The extra fields are for additional customization relating to the network files system (NFS): `extra.uid` – the mapping to a Unix UID id Do not leave any field in the `extra` section empty. Either specify a value or remove the empty field. If your `extra` section is empty, omit the section entirely.

In YAML format:

identityProviders:
  - id: "ldap"
    type: "ldap"
    displayName: "LDAP"
    host: "ldap"
    port: 636
    useStartTls: true
    useSsl: true
    baseDn: "dc=matlabonlineserver,dc=mwcloudtest,dc=com"
    filter: "(uid={0})"
    adminDn: "cn=readonly,dc=matlabonlineserver,dc=mwcloudtest,dc=com"
    adminPassword: "readonly"
    subjectAttributeMapping:
      subjectId: "uid"
      displayName: "cn"
      groups: "groups"
      extra:
        uid: "uidNumber"

Add Certificates to MATLAB Online Server Trust Store

When you use LDAPS or LDAP with TLS, you must add the certificates to the global trust store. These certificates are validated against the LDAP/LDAPS server to establish a secure connection.

You must add the certificate information, shown in the following table, to authnz.yaml.

Field Default Value Required or Optional Description

Field	Default Value	Required or Optional	Description
`validateCertificate`	`true`	Optional	The `validateCertificate` field enables the certificate verification for the authnz service while communicating to the external identity providers. As an example, when LDAP is being used with useSSL= true or useTLS = true, the secure communication will be validated. If this field is disabled, the communication will still be LDAPS, but the certificate verification will be skipped.
`trustedCertificates`	`""`	Optional	The server certificates that are required for communicating with the external identity providers in the authnz service must be provided using the `trustedCertificates` field. For example, when LDAP is being used with useSSL= true or useTLS = true, the secure communication must be validated and server certificates must be provided using this field. If the certificates are not provided, the LDAPS communication fails.

validateCertificate

true

Optional

The validateCertificate field enables the certificate verification for the authnz service while communicating to the external identity providers.

As an example, when LDAP is being used with useSSL= true or useTLS = true, the secure communication will be validated.

If this field is disabled, the communication will still be LDAPS, but the certificate verification will be skipped.

trustedCertificates

""

Optional

The server certificates that are required for communicating with the external identity providers in the authnz service must be provided using the trustedCertificates field.

For example, when LDAP is being used with useSSL= true or useTLS = true, the secure communication must be validated and server certificates must be provided using this field.

If the certificates are not provided, the LDAPS communication fails.

In YAML format:

global:
  tls:
    validateCertificate: true
    trustedCertificates: | 
          -----BEGIN CERTIFICATE-----
          MIIC5DCCAk2gAwIBAgIUZhnmeMmayNSTcAI2hgyxQt6GotUwDQYJKoZIhvcNAQEL
          ...
          VA/d/fQ+yxUjlDBc6ly/OwVFtIr0QykE
          -----END CERTIFICATE-----
          -----BEGIN CERTIFICATE-----
          BQAwgYMxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJNQTEPMA0GA1UEBwwGTmF0aWNr
          ...
          EdUg4pCYWUyFgGA/QCg4EniQEMN
          -----END CERTIFICATE-----

The certificates must be formatted using PEM. For details on PEM, see:

SAML

Security Assertion Markup Language (SAML) is used to communicate with an identity provider. The SAML configuration for MATLAB Online Server ensures that the identities used to control access to MATLAB Online Server are managed by the Enterprise Identity Provider.

For more information about SAML settings, see https://wiki.oasis-open.org/security/.

The SAML identity provider type has extra properties, as shown in the following table:

Field	Default Value	Required or Optional	Description
`authRequestBinding`	`"POST"`	Optional	Binding method used for sending authentication requests to the Identity Provider, specified as `"POST"` (HTTP POST) or `"Redirect"` (HTTP Redirect). The HTTP Redirect method sends request data as query parameters in the URL, whereas HTTP POST method sends data more securely in the request body.
`assertionConsumerPath`	`"/authnz/saml/code"`	Optional	The assertion consumer service (ACS) endpoint is a location where the SSO tokens are sent. ACS is applicable to all SAML versions and both the IdP-initiated and SP-initiated SSO profiles.
`corsAllowOriginDomain`	`""`	Required	The fully qualified domain name of the server that communicates with MATLAB Online Server, for example, `samlintegrationhost.yourcompanydomain.com`.
`relyingPartyId`	`""`	Required	The hostname for the server that integrates with the SAML Identity Provider. This value is typically the hostname of the DNS entry for your MATLAB Online Server Kubernetes cluster, but depending on the integration product or service being used to expose the Identity Provider via the SAML system, this value can also be an arbitrary identifier.
`subjectAttributeMapping`	`{}`	Required	The subject attribute mapping lets you set values for the user attributes that map to your organizational SAML assertion values. For example, your user’s first name might be stored as displayFirstName in the SAML system. To map this in MATLAB Online Server, set `displayName: displayFirstName`. Enclose each `subjectAttributeMapping` field value in quotes. Valid fields are as follows: subjectAttributeMapping: subjectId: "<subject_id>" displayName: "<display_name>" groups: "<groups>" extra: email: "<email_address>" uid: "<uid_number>" gid: "<gid_number>" `displayName` is an optional attribute that controls what is displayed for the user name in the upper-right corner of MATLAB Online Server. `subjectId` is the default mapping field for the user account. This value comes from the SAML assertions sent as part of a successful login. `groups` is an optional attribute that defines what groups the user belongs to. `extra` contains customization fields relating to the network file system (NFS): `email` — Email address of user `uid` — the mapping to a Unix user ID (UID) `gid` — the mapping to a Unix group ID (GID) Do not leave any field in the `extra` section empty. Either specify a value or remove the empty field. If your `extra` section is empty, omit the section entirely.
`supportIdpInitiated`	`false`	Optional	Set this field to `true` to enable the use of an IdP-initiated workflow for accessing applications hosted on MATLAB Online Server. In an IdP-initiated workflow, users sign in directly to their organization's IdP using their SSO credentials. The IdP then authenticates users and redirects them to their organization's application portal, from which they can select the applications they have access to (for example, MATLAB Online™). To enable IdP-initiated workflows, follows these steps: On your IdP server, set the default relay state parameter. This parameter specifies the application (for example, MATLAB Online) that the IdP redirect users to after they select it from their organization's application portal. The exact name of default relay state parameter varies by IdP vendor, for example, "IDP Initiated SSO Relay State" or "Default Relay State". Specify the parameter using this format: `idpIssuerName\|idpRedirectUrl` `idpIssuerName` is the name you want to use to identify the IdP issuer on the network. You can specify `idpIssuerName` as an arbitrary string or include IdP issuer information, such as the issuer URL, in this name. This string does not have to be unique. You can reuse an IdP issuer name specified in other applications. `idpRedirectUrl` is the endpoint of the application that the IdP redirects users to. Examples: http://www.okta.com/PBtz21eR9DUkTAz8cQsD\|https://mos.example.com/matlabonline mos-client-idp\|https://mos.example.com/matlabonline In MATLAB Online Server, in the `authnz.yaml` file: Set `supportIdpInitiated` to `true`. Set `idPIssuer` to the value of the `idpIssuerName` part of the default relay state parameter. Omit this field or set it to `false` to initiate authentication of a user's SSO credentials through the service provider (SP), which in this case is MATLAB Online Server. In an SP-initiated workflow, users sign in directly to MATLAB Online, and the server connects to the identity provider to authenticate the credentials of the user.
`idpIssuer`	`""`	Optional (Required if `supportIdpInitiated` is `true`)	IdP issuer used to authenticate users in IdP-initiated workflows. This field uniquely identifies the IdP issuer on the network, enabling MATLAB Online Server to connect to it. Set `idpIssuer` to the `idpIssuerName` part of the default relay state parameter specified on the IdP server. For more details, see the `supportIdpInitiated` field. Examples: idpIssuer: "http://www.okta.com/PBtz21eR9DUkTAz8cQsD" idpIssuer: "mos-client-idp" This field applies only when `supportIdpInitiated` is set to `true`.
`idpMetadataUrl`	`""`	Optional (You must specify either `idpMetadataUrl` or `idpMetadataXml`, but not both)	URL to the required SAML metadata for SP-initiated or IdP-initiated profiles.
`idpMetadataXml`	`""`	Optional (You must specify either `idpMetadataUrl` or `idpMetadataXml`, but not both)	The value of `idpMetadataXml` is a block of XML that is exported by the SAML Identity Provider. You can paste the exported XML into this field, but the field must be properly formatted YAML. Otherwise, `mosadm` is unable to deploy the AuthNZ details. Depending on the integration product or service being used to expose the Identity Provider via SAML, there might be newline characters. Delete those newline characters from the metadata XML before pasting the code into `authnz.yaml`.

In YAML format:

identityProviders:
  - id: "saml"
    type: "saml"
    assertionConsumerPath: "/service/assertionConsumer"
    corsAllowOriginDomain: "samlintegrationhost.yourcompanydomain.com"
    relyingPartyId: "matlab.domain.com"
    idpMetadataXml: |
        <xml content/>
    subjectAttributeMapping:
      displayName: "name"
      subjectId: "myNameId"
      groups: "groups"
      extra: 
        email: "email"
        uid: "uidNumber"
        gid: "gidNumber"
    supportIdpInitiated: true
    idpIssuer: "idp-issuer-name"
    idpMetadataUrl: "https://<IdP metadata>"

This code specifies both idpMetadataUrl and idpMetadataXml for illustrative purposes. For your YAML file, specify only one or the other of these fields.

If your MATLAB end users access AWS^® storage resources such as Amazon S3™, you can specify additional fields to delegate access to AWS. With delegated access enabled, MATLAB end users can log in with their single sign-on credentials and do not have to provide a separate login to access these resources. For more details on enabling delegated access to AWS resources, see Enable Access to AWS Storage Using Delegation.