All versions of this manual
X
Welcome to Linkurious administration manual v4.0.27. Use the menu to access other documentations.
  1. Introduction
  2. FAQ
  3. Getting started
    1. Version support policy
    2. Release notes
    3. Client requirements
    4. Graph DB Feature Map
  4. Deploying on premise
    1. Technical requirements
    2. Downloading
    3. Installing
    4. Starting Linkurious
    5. Stopping Linkurious
  5. Configuring
  6. Troubleshooting
    1. Checking Linkurious status
    2. Reading the logs
    3. Getting support
    4. Managing licenses
    5. Vulnerabilities
  7. Importing graph data
    1. Neo4j
    2. Memgraph
    3. Amazon Neptune
    4. Cosmos DB
    5. Updating your graph data
  8. Updating Linkurious
    1. Checking for updates
    2. Backing up your data
    3. Update procedure
  9. Configuring data-sources
    1. Neo4j
    2. Amazon Neptune
    3. Memgraph
    4. Cosmos DB
    5. Alternative IDs
    6. Merging data-sources
    7. Advanced settings
  10. Resource management
    1. Managing spaces
  11. Search index
    1. Search Option Comparison
    2. Neo4j Search
    3. Elasticsearch
    4. OpenSearch for Amazon Neptune
    5. Azure Search
    6. Incremental Indexing
    7. Numerical/Date search
  12. User-data store
    1. Migrating to an external database
    2. Backing-up your store
  13. Web server
  14. Authentication
    1. Getting started
    2. LDAP / Active Directory
    3. SSO with Azure AD
    4. SSO with Google
    5. SSO with OpenID Connect
    6. SSO with SAML2 / ADFS
    7. Configuration
  15. Access control
    1. Managing users
    2. Managing groups
    3. Standard access-rights
    4. Property-key access-rights
  16. Guest mode
    1. Guest mode
  17. Data Schema
    1. Property types
    2. Hiding data
    3. Strict mode
  18. Alerts
    1. Configuration
  19. Email Notifications
    1. Configuration
  20. Visualizations appearance
    1. Default styles
    2. Default captions
    3. Default properties order
    4. Geographic tiles
  21. Audit trail
    1. Log format
  22. Webhooks
  23. Observability
  24. Plugins
  25. Deep link
 

Authentication: SSO with SAML2 / ADFS

Linkurious Enterprise supports any SAML2 compatible provider as external authentication providers.

Configuration

To set up Linkurious Enterprise authentication with a SAML2 provider, you need to obtain the following parameters from the provider:

  • url: The URL of the SAML2 endpoint of the identity provider (e.g. "https://example.com/adfs/ls"`),
  • identityProviderCertificate: The certificate of the identity provider in PEM format (e.g. "/Users/example/linkurious/samlIdentityProvider.pem")
  • groupAttribute (optional): The attribute in which the groups of the users is stored (e.g. "Groups")
  • emailAttribute (optional): The attribute in which the email of the users is stored

groupAttribute is the attribute of the SAML response containing the array of groups a user belongs to.

emailAttribute is the attribute of the SAML response that should contain the email address if the NameID format of the SAML response is not already an email.

Example access.saml2 configuration with any SAML2 provider:

"access": {
  // [...]
  "saml2": {
    "enabled": true,
    "url": "https://example.com/adfs/ls",
    "identityProviderCertificate": "/Users/example/linkurious/saml.pem",
    "groupAttribute": "Groups"
  },
}

Assertion consumer service

To complete the login process, you need to configure your identity provider to return the SAML response to Linkurious Enterprise at the following URL: http(s)://HOST:PORT/api/auth/sso/return.

Please note that encrypted assertions are not supported by Linkurious Enterprise.

ADFS Configuration

In particular, ADFS (Active Directory Federation Services) is a SAML2 provider that offers Single-Sign-On towards an Active Directory service, see more on Microsoft documentation.

To set up Linkurious Enterprise authentication with ADFS, Linkurious Enterprise has to be configured as a Relying Party Trust in ADFS (see how to configure the ADFS on the Microsoft documentation).

To set up group mapping, the list of groups associated to a user should be passed in the SAML2 response. See how to configure a claim for the groups on the Microsoft documentation.