SAML Authentication in MATLAB Online Server
In MATLAB® Online Server™, you can configure authentication using a Security Assertion Markup Language (SAML) identity provider (IdP). For details about SAML, see the OASIS SAML Wiki.
Prerequisites
MATLAB Online Server is installed. See Installation.
Your organization's IdP follows the SAML protocol.
You have access to your IdP. To obtain access, contact your identity management administrator.
You are familiar with the MATLAB Online Server authentication workflow. See Configure User Authentication in MATLAB Online Server.
Open Configuration File
In a plain-text editor, open the authnz.yaml
file, which configures
information about your IdP.
<server-root>/overrides/<cluster-name>/<namespace-name>/authnz.yaml
<server-root>
is the MATLAB Online Server installation folder.<cluster-name>
is the name of the Kubernetes® cluster.<namespace-name>
is the namespace of the MATLAB Online Server deployment.
Sample path:
~/matlab_online_server/overrides/matlab-online-server/mathworks/authnz.yaml
Remove Local Accounts
If your configuration still includes local accounts (type: "local"
), remove
them from the authnz.yaml
file or comment them out. For example:
identityProviders: # - id: "local" # type: "local" # accounts: # - subjectId: "admin" # displayName: "admin" # password: "password" # extra: {} |
Security Considerations: Local user accounts are for testing purposes only and do not meet production security standards. Deploying them to production is not recommended.
Configure Identity Provider
In the identityProviders
section, add the following structure and
update the fields with information from your IdP. Commented-out fields are optional.
Fields with values in angle brackets (<>
) have no defaults.
identityProviders: - id: "<display name used identify IdP on server>" type: "saml" # authRequestBinding: "POST" # assertionConsumerPath: "/authnz/saml/code" corsAllowOriginDomain: "<fully qualified domain name of server>" relyingPartyId: "<server hostname>" # supportIdPInitiated: false # idpIssuer: "<IdP issuer name>" # required if supportIdPInitiated is true # idpMetadataUrl: "<https://IdP/metadata>" # Required if idpMetadataXml is not specified # idpMetadataXml: | # Required if idpMetadataUrl is not specified # <xml content/> # delegation: # aws: # <AWS delegation configuration fields> # subjectAttributeMapping: # subjectId: "<IdP username attribute>" # displayName: "<IdP display name attribute>" # groups: "<IdP user group attribute>" # extra: # email: "<IdP user email attribute>" # uid: "<IdP UNIX user ID attribute>" # gid: "<IdP UNIX group ID attribute>" |
Field | Default Value | Required or Optional | Description |
---|---|---|---|
id | "" | Required | Display name that identifies the IdP in MATLAB Online Server microservices and log files. |
type | "saml" | Required | Type of IdP. To configure local user accounts, you must set
|
authRequestBinding | "POST" | Optional | Binding method for sending authentication requests to the
identity provider, specified as The HTTP Redirect method sends request data as query parameters in the URL, whereas the HTTP POST method sends data more securely in the request body. |
assertionConsumerPath | "/authnz/saml/code" | Optional | Assertion consumer service (ACS) endpoint where MATLAB Online Server sends the SSO tokens. ACS is applicable to all SAML versions and both the IdP-initiated and service-provider-initiated SSO profiles. |
corsAllowOriginDomain | "" | Required | Fully qualified domain name of the server that communicates with MATLAB Online Server. Example:
|
relyingPartyId | "" | Required | Hostname of the server that integrates with the SAML identity provider. This value is typically the hostname of the DNS entry for your MATLAB Online Server Kubernetes cluster. However, depending on the integration product or service being used to expose the identity provider via the SAML system, this value can also be an arbitrary identifier. |
supportIdpInitiated | false | Optional | Set this field to In an IdP-initiated workflow, users sign in directly to their organization's IdP using their SSO credentials. The IdP then authenticates users and redirects them to their organization's application portal, from which they can select the applications they have access to (for example, MATLAB Online™). To enable IdP-initiated workflows, follows these steps:
Omit this field or set it to
|
idpIssuer | "" | Optional (Required if
| IdP issuer used to authenticate users in IdP-initiated
workflows. This field uniquely identifies the IdP issuer on the
network, enabling MATLAB
Online Server to connect to it. Set Examples: idpIssuer: "http://www.okta.com/PBtz21eR9DUkTAz8cQsD" idpIssuer: "mos-client-idp" This
field applies only when |
idpMetadataUrl | "" | Optional (You must specify either
| URL to the required SAML metadata for SP-initiated or IdP-initiated profiles. |
idpMetadataXml | "" | Optional (You must specify either
| Block of XML that the SAML IdP exports. You can paste the
exported XML into this field, but the field must be properly
formatted YAML. Otherwise, Depending
on the integration product or service that you are using to expose
the IdP through SAML, the XML might contain newline characters.
Delete those newline characters before pasting the XML into
|
delegation | "" | Optional | Give MATLAB Online Server delegated access to the cloud storage accounts of users. When you enable delegation, the server acquires the credentials that users need to access their cloud storage so their data is available to them as soon as they sign in to MATLAB Online. SAML supports delegation for this cloud platform service: AWS® delegation: aws: <AWS delegation configuration fields> For details on configuring AWS delegation, see Enable Access to Google Cloud Platform Storage Using Delegation. |
subjectAttributeMapping | {} | Optional | Map of user-related attributes from your IdP to the corresponding YAML fields in MATLAB Online Server. The server uses these fields to look up information about the user for use across services on the cluster. Valid fields are as follows. Enclose each
subjectAttributeMapping: subjectId: "<IdP username attribute>" displayName: "<IdP display name attribute>" groups: "<IdP user group attribute>" extra: email: "<IdP user email attribute>" uid: "<IdP UNIX user ID attribute>" gid: "<IdP UNIX group ID attribute>"
|
Sample Configuration
identityProviders: - id: "saml" type: "saml" assertionConsumerPath: "/service/assertionConsumer" corsAllowOriginDomain: "samlintegrationhost.yourcompanydomain.com" relyingPartyId: "matlab.domain.com" supportIdpInitiated: true idpIssuer: "idp-issuer-name" idpMetadataUrl: "https://<IdP metadata>" subjectAttributeMapping: displayName: "name" subjectId: "myNameId" groups: "groups" extra: email: "email" uid: "uidNumber" gid: "gidNumber" |
Deploy Configuration
To deploy your changes to the server, redeploy the authnz
service. From the MATLAB
Online Server root folder, run these commands.
./mosadm undeploy authnz
./mosadm deploy authnz
If your IdP configures single sign-on (SSO), your users can now sign in to MATLAB Online using their SSO credentials.
If you are configuring multiple IdPs, the server uses the first IdP listed in the
identityProviders
section as the default IdP. To authenticate users
with a nondefault IdP, in the MATLAB
Online URL you give to users, include an IdPId
query parameter
that specifies the ID value of the IdP. For example:
https://<domain-base>/matlabonline?idpId=<id>
where <domain-base>
is the value of the DOMAIN_BASE
property in your install.config
file. For
more information, see Configure Multiple Identity Providers.
Related Topics
- Configure User Authentication in MATLAB Online Server
- Configure Group-Based Authorization in MATLAB Online Server
- Configure File Storage for Users in MATLAB Online Server
- Enable Access to AWS Storage Using Delegation