Authentication via SAML 2.0
Applies to: Kyvos Reporting
SAML (Security Assertion Markup Language) is an XML standard that allows secure web domains to exchange user authentication and authorization data. You can configure Kyvos Reporting (service provider) to use an external identity provider (IdP) to authenticate users over SAML 2.0. No user credentials are stored with Kyvos Reporting, and using SAML enables you to add Kyvos Reporting to your organization’s single sign-on environment.
Prerequisites
To enable single logout, configure Kyvos Reporting in SSL mode.
Make the below configurations.
Add the following Cookie Processor tag in the context.xml (located at <Kyvos Reporting Install Root>/Jakarta/conf folder):
<Context> <!– Default set of monitored resources. If one of these changes, the –> <!– web application will be reloaded. –> <WatchedResource>WEB-INF/web.xml</WatchedResource> <WatchedResource>WEB-INF/tomcat-web.xml</WatchedResource> <WatchedResource>${catalina.base}/conf/web.xml</WatchedResource> <!– Uncomment this to disable session persistence across Tomcat restarts –> <!– <Manager pathname=”” /> –> <CookieProcessor sameSiteCookies=”none” /> </Context>Add the secure tag in the cookie-config in web.xml (located @<Kyvos Reporting Install Root>/Jakarta/conf folder)
<session-config> <session-timeout>30</session-timeout> <cookie-config> <http-only>true</http-only> <secure>true</secure> </cookie-config> </session-config>
Kyvos Reporting should run in SSL mode.
Make sure to use a valid certificate from a signed authority in the Kyvos Reporting application. In case of an untrusted certificate or key store, the Kyvos Reporting certificate file should be present in the Trusted store of your application JVM.
Restart the server after making the above changes.
Note
You must use Tomcat 9.0.28 or a higher version.
Configuring SAML
You can configure SAML 2.0 while creating an organization.
In Authentication is Performed by, select External Application.
To configure SAML 2.0, enter the details as:
Property | Description |
External Authenticator | Select SAML 2.0 to authenticate users from a third-party identity provider (IdP) such as OKTA |
Service Provider Settings
Property | Description |
Single Sign-on Return URL | Enter the Assertion Consumer Service (ACS) URL where the users would be redirected after successful login. This is a Kyvos Reporting (service provider) URL usually in the format http://<host/IP>:<port>/<webapp_name>/Acs?IDP=<Identity Provider Name> E.g., http://<localhost:8080/kyvos reporting/Acs?IDP=Custom |
Service Provider Issuer | Enter the URL that would help the Identity Provider (IdP) to identify your Kyvos Reporting instance. This is a Kyvos Reporting URL (sometimes called “Issuer ID” or “Entity ID”) usually in the format – http://<host/IP>:<port>/<webapp_name>. E.g., http://localhost:8080/Kyvos Reporting |
Service Provider Logout URL | Enter the URL where the SAML logout response will be sent by the IdP. This is a Kyvos Reporting URL usually in the format – http://<host/IP>:<port>/<webapp_name>/Slo |
X.509 Certificate
(Optional) | Copy and paste the PEM encoded x509 certificate file content to establish the trust of Kyvos Reporting by the IdP. You can generate this certificate using your third-party certificate authority. This field is optional. |
Service Provider Key File
(Optional) | Copy and paste the RSA or DSA private key file content to encrypt the connection between IdP and Kyvos Reporting. You can generate this key using your third-party certificate authority. This field is optional. |
Service Provider Metadata | Download the XML file that you can upload to the IdP to automate the configuration process. |
Identity Provider Settings
Property | Description |
Identity Provider | Select the external Identity Provider (IdP) to authenticate users over SAML 2.0, such as Onelogin, OKTA, and more. |
Identity Provider Name | Enter a name to identify the custom IdP. It can be any user-defined name. You need to fill this in when you select ‘Identity Provider’ as ‘Custom.’ |
Identity Provider Issuer | Enter the unique identifier to make the SAML Request. It is provided by the IdP (sometimes as “Issuer ID” or “Entity ID”) and is usually in the format of a URL. |
Single Sign-on URL | Enter the URL where Kyvos Reporting would redirect the users to sign in to the IdP service. The URL is provided by the IdP. |
External Authentication Sign-out URL (Optional) | Enter the URL that Kyvos Reporting would call after users sign out. The URL is provided by the IdP. |
X.509 Certificate File (for IdP) | Copy and paste the PEM encoded x509 certificate file content to establish the trust of the IdP by Kyvos Reporting. You can generate this certificate with the help of your IdP service or using your third-party certificate authority. |
Note:
You need to run Kyvos Reporting in HTTPS mode to avoid any conflict with the IdP’s SSL certificate
You can enable SSO authentication with a single IdP only
The values you input to configure SAML 2.0 are case sensitive
User Mapping
User mapping needs to be performed to make the whole login process smooth. For example, if you have a user in the identity provider OKTA, then the relevant user information in Kyvos Reporting should be mapped with the user in the OKTA application. For example, if you have an account with email id: Admin@KyvosReporting.com in OKTA, then the mapping should be done like: Admin mapped with Admin@Kyvos Reporting.com)
Copyright Kyvos, Inc. 2025. All rights reserved.