notice
This is documentation for Rasa X/Enterprise Documentation v1.3.x, which is no longer actively maintained.
For up-to-date documentation, see the latest version (1.4.x).
Single Sign-on
You can configure Rasa Enterprise to use single sign-on (SSO). When a user first signs in, they will be prompted to create a username. New users will be assigned the default role. You can customize the SAML default role by marking one of your roles to be the default role ("Admin" -> "Manage Roles" -> [Role] -> "Edit" -> "Set as default roles").
warning
The usage of the environment variable SAML_DEFAULT_ROLE
is deprecated and should be
avoided. Please use the UI to configure the default role instead of using the variable.
If set, the environment variable SAML_DEFAULT_ROLE
, will overwrite any default role
set in the UI.
You have the option to pre-define roles for new SAML users with a known Name ID
on
the command line by running
After signing in, new SAML users are prompted to contact the admin if they require extra permissions. An admin can then assign them to a specific role.
Rasa Enterprise supports SSO using the Security Assertion Markup Language (SAML) 2.0 protocol.
Configuring SAML SSO for Rasa Enterprise
Rasa Enterprise acts as a service provider (SP) which initiates the SSO request to an external SAML authority, called the identity provider (IdP). This section describes how to configure the Rasa Enterprise SAML SP to work with your enterprise IdP.
- Rasa Enterprise mounts SAML certificates, keys and a settings file from your project directory. Create a directory for the authentication information and a directory for storing the configuration file with
- The Rasa Enterprise SAML SP requires a X.509 certificate to sign the authentication
request. You’ll need to create a certificate and the corresponding private
key in
${RASA_HOME}/auth/certs
. To do this, run:
- The SAML SP has to be configured using a
json
file. Create a file calledsettings.json
in${RASA_HOME}/auth/saml
with the following content:
Replace the following placeholder variables with values specific to your SAML IdP
:
RASA_ENT_HOST
: The host endpoint that the IdP (provider) will use to connect to Rasa Enterprise. This is configured in Okta in theSingle sign on URL
andAudience URI
values.ENTITY_ID
: Identifier of the IdP identity. Okta provides this endpoint as theIdentity Provider Issuer
.SSO_URL
: Target URL to which the SSO requests are sent. Okta provides this endpoint as theIdentify Provider Single Sign-On URL
X509_CERT
: Public X.509 certificate of the IdP. This value should be provided as a string. This SAMLTool page can be used to convert the X.509 certificate to string format.
If you want to activate the SAML endpoint before you have your actual SAML IdP
for example for a metadata-based configuration of your IdP, you need to make sure
that you use these values with:
ENTITY_ID
: is not emptySSO_URL
: has the format of a URL, for examplehttps://example.com
X509_CERT
: is not empty
- Re-start Rasa Enterprise so that it will read the updated
settings.json
.
Once the rasa-x
service has been (re-)started after modifying the SAML settings, you
can retrieve the SAML endpoint metadata by issuing this GET
command:
You can specify additional details about your IdP in settings.json
, as well as in
an additional file called advanced_settings.json
. Have
a look at onelogin’s documentation
on python3-saml
for more details.
note
First-time SSO users are invited to choose their own username in Rasa Enterprise. This
feature relies on a permanent NameID
(i.e. the nameid-format
cannot
be of type transient
). For available nameid-format
types, please
have a look at the section on format identifiers in the SAML 2.0 Name ID
specification document.