SAML/SSO Authentication - LiveWire - 25.3.0

LiveWire 25.3.0 New Features
ft:locale
en-US
Product name
LiveWire
Version
25.3.0

Single Sign On (SSO) via SAML2 is now available on LiveWire. This feature is only supported on Linux.



All LiveWires have a new “Single Sign On” option on their login screen. If SSO is configured, the user will be redirected to sign in with their IDP (Okta, Keycloak, OneLogin, etc). After successful authentication with the IDP, the browser redirects back to LiveWire, where the user is logged into the application.

When the SSO user logs out, first they are logged out of LiveWire, then the user is redirected to their IDP to log out.

LiveWire Configuration

SSO can be enabled in the engine settings.

There are two main section: Identity Provider Settings and Service Provider Settings.

Identity Provider (IDP) Settings

Entity ID, Log In URL, Log Out URL, and the x509 Certificate can easily be found in your IDP.

The LiveWire Group Key Attribute defines the name of the attribute which the IDP must send that contains a list of groups the user is part of. This is used when LiveWire ACL is enabled.

For example: if a user is a part of multiple groups “lw_admin”, “offline_access”, “manage-account”, etc…, the IDP would send those groups within that attribute. This gives the freedom for administrators to name the group key attribute however they want (similar to LiveNX). These groups are then used to define what privileges the SSO user has on LiveWire.

The IDP settings are syncable via Engine Configuration Sync and Grid when syncing “Engine Settings”.

Service Provider (SP) Settings

Entity ID is used to define the LiveWire and according to the SAML standards must be formed as a URI. The user is able to modify the Entity ID.

After authenticating with the IDP, the user is sent to the ACS URL, where authentication takes place with the LiveWire engine.

The SLS URL is where the user is redirected to after logging out of the IDP.

ACS and SLS URLs are not configurable in the UI and should not be changed. All settings can be modified at your own risk within /etc/omni/engineconfig.xml.

The SP settings are not syncable via Engine Configuration Sync since they should be unique to each LiveWire.

ACL Settings

If SSO and LiveWire Access Control are enabled at the same time, SSO users must be part of a group. The group names can be added under each role, as shown below:



Clicking on the gear icon to configure groups, you may notice that “Validate” has been grayed out for any added groups. This is true when other forms of third-party authentication are disabled, but SSO is enabled. There is no way to verify if a SSO group is valid, therefore the option is disabled.



General Guidelines for IDP Configuration

We use the name_id for the username, so we recommend setting the name_id format to “email”.

Important: Be sure that when sending a list of groups, that all of the groups are sent under a single attribute. For example, keycloak allows sending each group under their own group key attribute, which is an illegal format and will not be parsed by LiveWire.

Example of turning on “Single Role Attribute” on KeyCloak IDP