Main Content

Configure User Authentication in MATLAB Online Server

To authenticate user access in MATLAB® Online Server™, you must configure an identity provider (IdP) that MATLAB Online Server can use to authenticate and allow users. The IdP allows the use of user credentials for the organization through a user name/password prompt or single sign-on, depending on the type of identity provider configured.

At least one IdP must be configured to sign in to MATLAB Online Server. When you issue the command to generate overrides, the command generates a configuration for the IdP of type local (see Local for details) with the user name admin and password that are defined in install.config.

To apply the IdP configuration, edit the settings in the file <matlab_online_server_install_dir>/overrides/<cluster>/<namespace>/authnz.yaml. For example, /opt/matlab_online_server/overrides/matlab-online-server/mathworks/authnz.yaml.

Identity Provider

Identity Provider Specification

FieldDefault ValueRequired or OptionalDescription
identityProviders[]Required

List of identity providers configured for use with MATLAB Online Server

In YAML format:

identityProviders:
-	"<list of identity provider configurations>"
FieldDefault ValueRequired or OptionalDescription
name""Required

Name of the identity provider

displayName""Optional

How the identity provider's name is displayed, specified using characters A-Z, a-z, and 0-9, with the symbols _, -, or . in between these characters. The maximum displayName can be 63 characters long.

type""Required

The type of the identity provider. Based on the type, the identity provider properties vary; see next section.

Identity Provider Types

MATLAB Online Server supports the following types of identity providers:

  • LOCAL

  • OAuth 2.0 and OIDC

  • MSAL

  • LDAP

  • SAML

Local

The LOCAL (local) identity provider type sets up the accounts that are in memory. For this identity provider, the accounts must be defined with the properties shown in the following table.

FieldDefault ValueRequired or OptionalDescription
subjectId""Required

User ID or username for the account

displayName""Required

Display name for the account

password""RequiredAccount password
groups[]Optional

Groups that the user is associated with

Example: ["group1","group2"]

extra{}Optional

Extra metadata that can be added to the user account when they sign in.

Do not leave any field in the extra section empty. Either specify a value or remove the empty field. If your extra section is empty, omit the section entirely.

For the LOCAL identity provider only, enclose each metadata value in square brackets, [].

Example: {uid: ["1001"], department: ["MATLAB Online Server"]}

Values in the settings for groups and extra are user-defined and not validated in any way.

In YAML format:

identityProviders:
  - id: "local"
    type: "local"
    displayName: "local"
    accounts:
      - subjectId: "admin"
        displayName: "Admin"
        password: "admin"
        groups: ["admin"]
        extra: {}
      - subjectId: "stateful"
        password: "stateful"
        extra: {}

OAuth 2.0 and OIDC

OAuth 2.0 is an authorization protocol that allows third-party applications such as MATLAB Online Server to access resources on behalf of a user by obtaining an access token.

OpenID Connect (OIDC) is an authentication protocol that layers additional functionality on top of OAuth 2.0, most importantly an additional ID token containing user identification information. MATLAB Online Server does not currently support this ID token and instead requires a user information endpoint from the OAuth 2.0 protocol described in the OpenID specification.

To integrate MATLAB Online Server with an OAuth 2.0 and OIDC identity provider (IdP) the identityProviders configuration supports the extra properties shown in the table.

FieldDefault ValueRequired or OptionalDescription
id""RequiredSpecifies an identifier for this identityProviders configuration.
type""RequiredIdentity provider type. For the OAuth 2.0 provider, type must be "oauth".
clientId""Required

Client identifier, which must be the same as the client identifier specified in the IdP.

Note

The supplied Kubernetes® secret must be the client secret associated with this clientId.

oidc""

Optional

(Required if authorizationLocation, tokenLocation, and graphLocation are not specified)

Specifies a URL that MATLAB Online Server uses to look up the authorization, token, and user endpoints required by the OIDC protocol. Specify these subfields:

  • enabled — Set this subfield to true to enable specifying the URL from which to look up the endpoints. If you set this subfield to false or omit the oidc field, specify these endpoints in the authorizationLocation, tokenLocation, and graphLocation fields.

  • discoveryUrl — URL used to look up the endpoints. Get this URL from your identity provider. This URL typically contains /.well-known/ in the path.

  • retryMode — Mode that the authnz service uses to fetch OIDC information from discoveryUrl after an unsuccessful attempt, specified as one of these strings:

    • "retry" (default) — Fetch information from discoveryUrl every 2n seconds (1, 2, 4, and so on). If the authnz service is unable to fetch information after 64 seconds, Kubernetes might restart the service after a few minutes.

    • "bypass" — Perform no operation and log any error messages.

    • "panic" — Send a "panic operation" to Kubernetes so that it attempts to restart the pod. The authnz service then attempts to fetch the OIDC information again after restarting.

You must specify either the oidc field or the authorizationLocation, tokenLocation, and graphLocation fields, but not both.

Example:

oidc:
  enabled: true
  discoveryUrl: https://host/.well-known/...
  retryMode: "bypass"
authorizationLocation""

Optional

(Required if oidc is not specified)

Specifies the authorization endpoint described in https://datatracker.ietf.org/doc/html/rfc6749#page-18.

If you set the oidc field to look up this endpoint from a discovery URL, omit this field.

Example:

authorizationLocation: "https://keycloak.example.com/realms/example-realm/protocol/openid-connect/auth"

tokenLocation""

Optional

(Required if oidc is not specified)

Specifies the token endpoint described in https://datatracker.ietf.org/doc/html/rfc6749#page-18.

If you set the oidc field to look up this endpoint from a discovery URL, omit this field.

Example:

tokenLocation: "https://keycloak.example.com/realms/example-realm/protocol/protocol/openid-connect/token"

graphLocation""

Optional

(Required if oidc is not specified)

Specifies the user information endpoint described in https://openid.net/specs/openid-connect-core-1_0.html#UserInfo. This endpoint must use the HTTPS protocol and can include port, path, and query parameters. If you set the oidc field to look up this endpoint from a discovery URL, omit this field.

Example:

graphLocation: https://keycloak.example.com/realms/example-realm/protocol/openid-connect/userinfo

redirectpath"/authnz/oauth/code"Optional

Specifies the path portion of the redirection endpoint described in https://datatracker.ietf.org/doc/html/rfc6749#page-18.

With the default value, the result will be https://fully-qualified-domain-name-of-mos-install/authnz/oauth/code.

Example:

redirectpath: "/authnz/oauth/code"

secretName"oauth-client"Optional

Specifies the Kubernetes secret used to specify the secret associated with the clientId.

secretKey"secretFile.yaml"Optional

Specifies the name of the field in the Kubernetes secret used hold the secret value.

Example:

This example shows the sample contents of a secrets YAML file.

apiVersion: "v1"
kind: "Secret"
metadata:
  name: "oauth-client"
data:
  secret: "amwXbWYtcmVhbG0XZ2VjcmV0"

To add this secret file to the Kubernetes cluster, use this command.

kubectl apply -f "secretFile.yaml"
scopes"user.read,openid,profile,email"Optional

Comma-separated list of scopes that OAuth 2.0 protocol has. Do not insert a space after each comma.

pkce""Optional

The pkce field enables you to extend the OAuth 2.0 protocol and use the proof key for code exchange (PKCE) protocol for authentication. The pkce field has these subfields.

  • enabled — Set this subfield to true to enable PKCE. To disable PKCE, set this subfield to false or omit the pkce field.

  • challengeMethod — Challenge method used to encode the authentication string sent between MATLAB Online Server and the identity provider, specified as "S256" (SHA256 encoding—default if you omit this field) or "plain" (plain-text encoding—not recommended).

  • challengeLength — Length of the authentication string, specified as an integer from 32 to 96. If you omit this field, the default string length is 32 characters.

For more details on PKCE, see https://auth0.com/docs/flows/authorization-code-flow-with-proof-key-for-code-exchange-pkce.

Example:

pkce:
  enabled: true
  challengeMethod: "S256"
  challengeLength: 32
subjectAttributeMapping{}Optional

Mapping between the keys in the OpenID Connect claims to values needed by MATLAB Online Server.

Enclose each subjectAttributeMapping field value in quotes. Valid fields are as follows:

subjectAttributeMapping:
  displayName: "displayNameClaimKey"
  subjectId: "subjectIdClaimKey"
  groups: "groupsClaimKey"
  extra:
    email: "emailClaimKey"
    uid: "userIdClaimKey"
    gid: "groupIdClaimKey"
  • displayName — Controls the key that the IdP uses to specify the username in the MATLAB Online Server user interface.

  • subjectId — Default mapping field for the user account. This value comes from the OpenID Connect claims. This name is also used when checking out a license from the license server. Consequently, the license server log contains the value associated with this key in the claim.

  • groups — Defines the key used by the IdP to identify the values for what groups the user belongs to. You can use these values in the allowedGroups field of the matlab-pool YAML file to restrict MATLAB access to specific user groups.

  • extra — Customization fields relating to the network file system (NFS):

    • email — Email address of user

    • uid — Mapping to a UNIX® user ID (UID)

    • gid — Mapping to a UNIX group ID (GID)

    Do not leave any field in the extra section empty. Either specify a value or remove the empty field. If your extra section is empty, omit the section entirely.

This authnz.yaml file shows a sample OIDC specification.

replicaCount: 1
identityProviders:
  - id: "oauth"
    type: "oauth"
    clientId: "example-realm-oidc"
    authorizationLocation: "https://example-keycloak.example.com/realms/example-realm/protocol/openid-connect/auth"
    tokenLocation: "https://example-keycloak.example.com/realms/example-realm/protocol/openid-connect/token"
    graphLocation: "https://example-keycloak.example.com/realms/example-realm/protocol/openid-connect/userinfo"
    scopes: "openid,profile,roles"
    subjectAttributeMapping:
      subjectId: "preferred_username"
      displayName: "preferred_username"
      groups: "groups"
      extra:
        email: "email"
        uid: "uidNumber"
        gid: "gidNumber"

The graphLocation, the user information endpoint, returns a JSON response similar to the following:

{\"sub\":\"269e67a3-877a-4525-9c88-fb8707ac7a93\",\"randomAttribute\":\"user1RandomAttribute\",
\"resource_access\":{\"account\":{\"roles\":[\"manage-account\",\"manage-account-links\",
\"view-profile\"]}},\"email_verified\":false,\"groups\":[\"non-gpu\",\"user\"],
\"preferred_username\":\"user1\",\"given_name\":\"user1_FirstName\",
\"realm_access\":{\"roles\":[\"non-gpu\",\"user\"]},\"uidNumber\":\"7777\",
\"name\":\"user1_FirstName user1_LastName\",\"gidNumber\":\"7777\",
\"family_name\":\"user1_LastName\",\"email\":\"user1@example.com\"}

The license server logs an entry similar to the following:

21:52:53 (MLM) OUT: "MATLAB" user1@mathworks-matlab-pool-7b775bc559-ct2vv 

Additionally, the MATLAB Online Server user interface displays "user1" as the username.

If other attributes passed as claims from the IdP must show up in the license server logs and MATLAB Online Server user interface, then update the mapping. For example, suppose you use randomAttribute instead of preferred_name for the license log entry and the username in the user interface.

identityProviders:
  - id: oauth 
    type: oauth 
    clientId: ex-realm-oidc 
      authorizationLocation: https://ex-keycloak.matlabonlineserver.com/realms/ex-realm/protocol/openid-connect/auth
      tokenLocation: https://ex-keycloak.matlabonlineserver.com/realms/ex-realm/protocol/openid-connect/token
      graphLocation: https://ex-keycloak.matlabonlineserver.com/realms/ex-realm/protocol/openid-connect/userinfo
      scopes: "openid,profile,roles"
      subjectAttributeMapping:
        subjectId: "randomAttribute"
        displayName: "name"
        groups: "groups"
        extra:
          email: "email"

The license server will contain an entry similar to the following:

21:52:53 (MLM) OUT: "MATLAB" user1RandomAttribute@mathworks-matlab-pool-7b775bc559-ct2vv 

The MATLAB Online Server user interface displays "user1_FirstName user1_LastName" as the username.

Because the value set for the groups field in the sample subjectAttributeMapping above and the associated values of the claims returned by the IdP, the user is allowed to access a matlab-pool configuration with the following in the associated matlab-pool.yaml file.

resourceDefinition:
  allowedGroups:
  - "gpu"

MSAL

The Microsoft® Security Authentication Library (MSAL) software package provides simplified configuration options for the OAuth 2.0 and OIDC authentication protocols. If you host the identity provider in Azure®, you can use this authentication method as a more streamlined alternative to the standard OAuth 2.0 and OIDC methods. If you want to delegate access to Azure storage resources in MATLAB Online Server, then you must use MSAL. For more details on Azure delegation, see Enable Access to Azure Storage Using Delegation.

FieldDefault ValueRequired or OptionalDescription
clientId""Required

Client ID value. Enclose the client ID in quotes.

tenantId""Required

Tenant ID value. Enclose the tenant ID in quotes.

clientType"confidential"Optional

Type of OAuth 2.0 and OIDC client, specified as one of these values.

  • "confidential" (default) — Confidential client, which requires deploying your client secret as a Kubernetes secret on the server. You can obtain the client secret from your identity provider hosted in Azure.

  • "public" — Public client, which does not require deployment of a Kubernetes secret.

redirectPath"/authnz/msal/code"Optional

Specifies the path portion of the redirection endpoint described in https://datatracker.ietf.org/doc/html/rfc6749#page-18.

scopes"https://graph.microsoft.com/.default"Optional

Comma-separated list of scopes used to obtain login and user information. Do not insert a space after each comma.

useGroupsfalseOptional

When set to true, the MATLAB Online Server authentication service expects groups returned in the ID token (IDToken) returned by the identity provider. You must configure your ID token to include groups. For more details, see Configure groups optional claims (Microsoft).

subjectAttributeMapping{}Required

Mapping between the keys in the OpenID Connect claims to values needed by MATLAB Online Server.

Enclose each subjectAttributeMapping field value in quotes. Valid fields are as follows:

subjectAttributeMapping:
  displayName: "displayNameClaimKey"
  subjectId: "subjectIdClaimKey"
  groups: "groupsClaimKey"
  extra:
    email: "emailClaimKey"
    uid: "userIdClaimKey"
    gid: "groupIdClaimKey"
  • displayName — Controls the key that the IdP uses to specify the username in the MATLAB Online Server user interface.

  • subjectId — Default mapping field for the user account. This value comes from the OpenID Connect claims. This name is also used when checking out a license from the license server. Consequently, the license server log contains the value associated with this key in the claim.

  • groups — Defines the key used by the IdP to identify the values for what groups the user belongs to. You can use these values in the allowedGroups field of the matlab-pool YAML file to restrict MATLAB access to specific user groups.

  • extra — Customization fields relating to the network file system (NFS):

    • email — Email address of user

    • uid — Mapping to a UNIX user ID (UID)

    • gid — Mapping to a UNIX group ID (GID)

    Do not leave any field in the extra section empty. Either specify a value or remove the empty field. If your extra section is empty, omit the section entirely.

This authnz.yaml file shows a sample MSAL specification. Any attributes that use default values can be omitted.

identityProviders:
  - id: msal
    type: msal
    displayName: "msal"
    clientId: "<client ID>"
    tenantId: "<tenant ID>"
    clientType: "confidential"
    redirectPath: "/authnz/msal/code"
    scopes: "https://graph.microsoft.com/.default"
    useGroups: false
    subjectAttributeMapping:
      subjectId: "oid"
      displayName: "preferred_username"
      groups: "groups"
      extra: {}

LDAP

Lightweight Directory Access Protocol, also known as LDAP, is used to manage user identities. Identity management for MATLAB Online Server can apply user information from sources that you specify. The LDAP (ldap) identity provider type provides access control and tells MATLAB Online Server how to map user information tables to user information that MATLAB Online Server needs to manage these users.

For more about LDAP settings, visit https://ldap.com/.

The LDAP identity provider type requires extra properties, shown in the following table:

FieldDefault ValueRequired or OptionalDescription
host""Required

Specifies the host address for the LDAP, for example: "ldapserver.yourcompany.com".

port""Required

Specifies the LDAP port at the host address, for example: "389" for regular LDAP and "636" for secure LDAP.

useStartTlsfalseOptional

Specifies if your LDAP server requires start TLS for connection.

You must add the trusted certificates to the MATLAB Online Server trust store. See Add Certificates to MATLAB Online Server Trust Store.

useSslfalseOptional

Specifies if your LDAP server requires SSL for connection.

You must add the trusted certificates to the MATLAB Online Server trust store. See Add Certificates to MATLAB Online Server Trust Store.

baseDn""Required

Specifies the starting point for the search tree in your LDAP environment. For example: "dc=ldap,dc=yourcompany,dc=com"

filter""Required

Specifies an LDAP search filter. Use the search filter to scan a subset of users from the LDAP database. This allows you to reduce the scope of the LDAP search and control which organizational user may access MATLAB Online Server.

  • You can leverage variable substitution to configure how the username is provided to LDAP, for example: "(CN={0})".

  • Specify the search filter as attribute=value, for example, CN=test* matches all users that have a common name (CN) attribute that starts with test.

  • Use parentheses to combine multiple filter expression in an AND (&) or OR (|) clause. For example, "(&(CN={0})(department=foo))" matches all users that are in department foo.

The default search filter is objectClass=organizationalPerson.

For more information on search filters, see LDAP filters at https://ldap.com/ldap-filters.

adminDn""Required

Specifies the administrator account used to establish the connection to the LDAP server, for example: "cn=readonly".

This account is used to query LDAP for the list of users. The account requires only read access to the directory and does not attempt to store information back into LDAP.

adminPassword""Required

Specifies the administrator account password used to establish the connection to the LDAP server.

subjectAttributeMapping{}Required

Mapping between your internal LDAP values to values needed by MATLAB Online Server.

For example, your user’s first name might be stored as displayFirstName in the LDAP system.

To map this value in MATLAB Online Server set displayName: "displayFirstName".

Enclose each subjectAttributeMapping value in quotes. Valid fields are as follows:

subjectAttributeMapping:
  subjectId: "subject_id"
  displayName: "display_name"
  groups: "groups"
  extra:
    email: "email_address"
    uid: "uid_number"
    gid: "gid_number"

displayName is an optional attribute that controls what is displayed for the username in the upper-right corner of MATLAB Online Server.

The subjectId is the default mapping field for the user account, normally “cn”.

The extra fields are for additional customization relating to the network files system (NFS):

  • extra.uid – the mapping to a Unix UID id

Do not leave any field in the extra section empty. Either specify a value or remove the empty field. If your extra section is empty, omit the section entirely.

In YAML format:

identityProviders:
  - id: "ldap"
    type: "ldap"
    displayName: "LDAP"
    host: "ldap"
    port: 636
    useStartTls: true
    useSsl: true
    baseDn: "dc=matlabonlineserver,dc=mwcloudtest,dc=com"
    filter: "(uid={0})"
    adminDn: "cn=readonly,dc=matlabonlineserver,dc=mwcloudtest,dc=com"
    adminPassword: "readonly"
    subjectAttributeMapping:
      subjectId: "uid"
      displayName: "cn"
      groups: "groups"
      extra:
        uid: "uidNumber"

Add Certificates to MATLAB Online Server Trust Store

When you use LDAPS or LDAP with TLS, you must add the certificates to the global trust store. These certificates are validated against the LDAP/LDAPS server to establish a secure connection.

You must add the certificate information, shown in the following table, to authnz.yaml.

FieldDefault ValueRequired or OptionalDescription
validateCertificatetrueOptional

The validateCertificate field enables the certificate verification for the authnz service while communicating to the external identity providers.

As an example, when LDAP is being used with useSSL= true or useTLS = true, the secure communication will be validated.

If this field is disabled, the communication will still be LDAPS, but the certificate verification will be skipped.

trustedCertificates""Optional

The server certificates that are required for communicating with the external identity providers in the authnz service must be provided using the trustedCertificates field.

For example, when LDAP is being used with useSSL= true or useTLS = true, the secure communication must be validated and server certificates must be provided using this field.

If the certificates are not provided, the LDAPS communication fails.

In YAML format:

global:
  tls:
    validateCertificate: true
    trustedCertificates: | 
          -----BEGIN CERTIFICATE-----
          MIIC5DCCAk2gAwIBAgIUZhnmeMmayNSTcAI2hgyxQt6GotUwDQYJKoZIhvcNAQEL
          ...
          VA/d/fQ+yxUjlDBc6ly/OwVFtIr0QykE
          -----END CERTIFICATE-----
          -----BEGIN CERTIFICATE-----
          BQAwgYMxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJNQTEPMA0GA1UEBwwGTmF0aWNr
          ...
          EdUg4pCYWUyFgGA/QCg4EniQEMN
          -----END CERTIFICATE-----

The certificates must be formatted using PEM. For details on PEM, see:

SAML

Security Assertion Markup Language (SAML) is used to communicate with an identity provider. The SAML configuration for MATLAB Online Server ensures that the identities used to control access to MATLAB Online Server are managed by the Enterprise Identity Provider.

For more information about SAML settings, see https://wiki.oasis-open.org/security/.

The SAML identity provider type has extra properties, as shown in the following table:

FieldDefault ValueRequired or OptionalDescription
authRequestBinding"POST"Optional

Binding method used for sending authentication requests to the Identity Provider, specified as "POST" (HTTP POST) or "Redirect" (HTTP Redirect).

The HTTP Redirect method sends request data as query parameters in the URL, whereas HTTP POST method sends data more securely in the request body.

assertionConsumerPath"/authnz/saml/code"Optional

The assertion consumer service (ACS) endpoint is a location where the SSO tokens are sent. ACS is applicable to all SAML versions and both the IdP-initiated and SP-initiated SSO profiles.

corsAllowOriginDomain""Required

The fully qualified domain name of the server that communicates with MATLAB Online Server, for example, samlintegrationhost.yourcompanydomain.com.

relyingPartyId""Required

The hostname for the server that integrates with the SAML Identity Provider. This value is typically the hostname of the DNS entry for your MATLAB Online Server Kubernetes cluster, but depending on the integration product or service being used to expose the Identity Provider via the SAML system, this value can also be an arbitrary identifier.

subjectAttributeMapping{}Required

The subject attribute mapping lets you set values for the user attributes that map to your organizational SAML assertion values.

For example, your user’s first name might be stored as displayFirstName in the SAML system.

To map this in MATLAB Online Server, set displayName: displayFirstName.

Enclose each subjectAttributeMapping field value in quotes. Valid fields are as follows:

subjectAttributeMapping:
  subjectId: "<subject_id>"
  displayName: "<display_name>"
  groups: "<groups>"
  extra:
    email: "<email_address>"
    uid: "<uid_number>"
    gid: "<gid_number>"

displayName is an optional attribute that controls what is displayed for the user name in the upper-right corner of MATLAB Online Server.

subjectId is the default mapping field for the user account. This value comes from the SAML assertions sent as part of a successful login.

groups is an optional attribute that defines what groups the user belongs to.

extra contains customization fields relating to the network file system (NFS):

  • email — Email address of user

  • uid — the mapping to a Unix user ID (UID)

  • gid — the mapping to a Unix group ID (GID)

Do not leave any field in the extra section empty. Either specify a value or remove the empty field. If your extra section is empty, omit the section entirely.

supportIdpInitiatedfalseOptional

Set this field to true to enable the use of an IdP-initiated workflow for accessing applications hosted on MATLAB Online Server.

In an IdP-initiated workflow, users sign in directly to their organization's IdP using their SSO credentials. The IdP then authenticates users and redirects them to their organization's application portal, from which they can select the applications they have access to (for example, MATLAB Online™).

To enable IdP-initiated workflows, follows these steps:

  1. On your IdP server, set the default relay state parameter. This parameter specifies the application (for example, MATLAB Online) that the IdP redirect users to after they select it from their organization's application portal. The exact name of default relay state parameter varies by IdP vendor, for example, "IDP Initiated SSO Relay State" or "Default Relay State". Specify the parameter using this format:

    idpIssuerName|idpRedirectUrl

    • idpIssuerName is the name you want to use to identify the IdP issuer on the network. You can specify idpIssuerName as an arbitrary string or include IdP issuer information, such as the issuer URL, in this name. This string does not have to be unique. You can reuse an IdP issuer name specified in other applications.

    • idpRedirectUrl is the endpoint of the application that the IdP redirects users to.

    Examples:

    http://www.okta.com/PBtz21eR9DUkTAz8cQsD|https://mos.example.com/matlabonline
    mos-client-idp|https://mos.example.com/matlabonline
  2. In MATLAB Online Server, in the authnz.yaml file:

    1. Set supportIdpInitiated to true.

    2. Set idPIssuer to the value of the idpIssuerName part of the default relay state parameter.

Omit this field or set it to false to initiate authentication of a user's SSO credentials through the service provider (SP), which in this case is MATLAB Online Server. In an SP-initiated workflow, users sign in directly to MATLAB Online, and the server connects to the identity provider to authenticate the credentials of the user.

idpIssuer""

Optional

(Required if supportIdpInitiated is true)

IdP issuer used to authenticate users in IdP-initiated workflows. This field uniquely identifies the IdP issuer on the network, enabling MATLAB Online Server to connect to it. Set idpIssuer to the idpIssuerName part of the default relay state parameter specified on the IdP server. For more details, see the supportIdpInitiated field.

Examples:

idpIssuer: "http://www.okta.com/PBtz21eR9DUkTAz8cQsD"
idpIssuer: "mos-client-idp"

This field applies only when supportIdpInitiated is set to true.

idpMetadataUrl""

Optional

(You must specify either idpMetadataUrl or idpMetadataXml, but not both)

URL to the required SAML metadata for SP-initiated or IdP-initiated profiles.

idpMetadataXml""

Optional

(You must specify either idpMetadataUrl or idpMetadataXml, but not both)

The value of idpMetadataXml is a block of XML that is exported by the SAML Identity Provider. You can paste the exported XML into this field, but the field must be properly formatted YAML. Otherwise, mosadm is unable to deploy the AuthNZ details.

Depending on the integration product or service being used to expose the Identity Provider via SAML, there might be newline characters. Delete those newline characters from the metadata XML before pasting the code into authnz.yaml.

In YAML format:

identityProviders:
  - id: "saml"
    type: "saml"
    assertionConsumerPath: "/service/assertionConsumer"
    corsAllowOriginDomain: "samlintegrationhost.yourcompanydomain.com"
    relyingPartyId: "matlab.domain.com"
    idpMetadataXml: |
        <xml content/>
    subjectAttributeMapping:
      displayName: "name"
      subjectId: "myNameId"
      groups: "groups"
      extra: 
        email: "email"
        uid: "uidNumber"
        gid: "gidNumber"
    supportIdpInitiated: true
    idpIssuer: "idp-issuer-name"
    idpMetadataUrl: "https://<IdP metadata>"

This code specifies both idpMetadataUrl and idpMetadataXml for illustrative purposes. For your YAML file, specify only one or the other of these fields.

If your MATLAB end users access AWS® storage resources such as Amazon S3™, you can specify additional fields to delegate access to AWS. With delegated access enabled, MATLAB end users can log in with their single sign-on credentials and do not have to provide a separate login to access these resources. For more details on enabling delegated access to AWS resources, see Enable Access to AWS Storage Using Delegation.

Related Topics

External Websites