Single Sign-On (SSO) is an authentication scheme, allowing users to log in with a single pair of credentials to multiple, independent software systems.
This section explains the procedure to configure SSO to NVIDIA Run:ai using the SAML 2.0 protocol.
Before your start, make sure you have the IDP Metadata XML available from your identity provider.
Adding the Identity ProviderOpen the Security section and click +IDENTITY PROVIDER
Select either From computer or From URL to upload your identity provider metadata file
From computer - Click the Metadata XML file field, then select your file for upload
From URL - In the Metadata XML field, enter the URL to the IDP Metadata XML file
You can either copy the Redirect URL and Entity ID displayed on the screen and enter them in your identity provider, or use the service provider metadata XML, which contains the same information in XML format. This file becomes available after you click SAVE in step 7.
Optional: Enter the user attributes and their value in the identity provider as shown in the below table
Click SAVE. After save, click Open service provider metadata XML to access the metadata file. This file can be used to configure your identity provider.
Optional: Enable Auto-Redirect to SSO to automatically redirect users to your configured identity provider’s login page when accessing the platform.
If it exists in the IDP, it allows you to assign NVIDIA Run:ai role groups via the IDP. The IDP attribute must be a list of strings.
If it exists in the IDP, it allows Researcher containers to start with the Linux User UID. Used to map access to network resources such as file systems to users. The IDP attribute must be of type integer.
If it exists in the IDP, it allows Researcher containers to start with the Linux Group GID. The IDP attribute must be of type integer.
If it exists in the IDP, it allows Researcher containers to start with the relevant Linux supplementary groups. The IDP attribute must be a list of integers.
Defines the user attribute in the IDP holding the user's email address, which is the user identifier in NVIDIA Run:ai.
Used as the user’s first name appearing in the NVIDIA Run:ai platform.
Used as the user’s last name appearing in the NVIDIA Run:ai platform.
Open the NVIDIA Run:ai platform as an admin
Open the NVIDIA Run:ai platform in an incognito browser tab
On the sign-in page click CONTINUE WITH SSO. You are redirected to the identity provider sign in page
In the identity provider sign-in page, log in with the SSO user who you granted with access rules
If you are unsuccessful signing-in to the identity provider, follow the Troubleshooting section below
You can view the identity provider details and edit its configuration:
Open the Security section
On the identity provider box, click Edit identity provider
You can edit either the metadata file or the user attributes
You can view the identity provider URL, identity provider entity ID, and the certificate expiration date
You can remove the identity provider configuration:
Open the Security section
On the identity provider card, click Remove identity provider
In the dialog, click REMOVE to confirm the action
Note
To avoid losing access, removing the identity provider must be carried out by a local user.
Downloading the IDP Metadata XML FileYou can download the XML file to view the identity provider settings:
Open the Security section
On the identity provider card, click Edit identity provider
In the dialog, click DOWNLOAD IDP METADATA XML FILE
If testing the setup was unsuccessful, try the different troubleshooting scenarios according to the error you received. If an error still occurs, check the advanced troubleshooting section.
Troubleshooting Scenarios Error: "Invalid signature in response from identity provider"Description: After trying to log in, the following message is received in the NVIDIA Run:ai login page.
Mitigation:
Go to the General settings menu
Open the Security section
In the identity provider box, check for a "Certificate expired” error
If it is expired, update the SAML metadata file to include a valid certificate
Description: Authentication failed because email attribute was not found.
Mitigation: Validate the user’s email attribute is mapped correctly
Error: "403 - Sorry, we can’t let you see this page. Something about permissions…"Description: The authenticated user is missing permissions
Mitigation:
Validate either the user or its related group/s are assigned with access rules
Validate the user’s groups attribute is mapped correctly
Advanced:
Open the Chrome DevTools: Right-click on page → Inspect → Console tab
Run the following command to retrieve and paste the user’s token: localStorage.token;
Under the Payload section validate the values of the user’s attributes
The SAML login flow can be separated into two parts:
NVIDIA Run:ai redirects to the IDP for log-ins using a SAML Request
On successful log-in, the IDP redirects back to NVIDIA Run:ai with a SAML Response
Validate the SAML Request to ensure the SAML flow works as expected:
Go to the NVIDIA Run:ai login screen
Open the Chrome Network inspector: Right-click → Inspect on the page → Network tab
On the sign-in page click CONTINUE WITH SSO.
Once redirected to the Identity Provider, search in the Chrome network inspector for an HTTP request showing the SAML Request. Depending on the IDP url, this would be a request to the IDP domain name. For example, accounts.google.com/idp?1234.
When found, go to the Payload tab and copy the value of the SAML Request
Validate the response:
The user email under the <saml2:Subject> tag is the same as the logged-in user
Make sure that under the <saml2:AttributeStatement> tag, there is an Attribute named email (lowercase). This attribute is mandatory.
If other, optional user attributes (groups, firstName, lastName, uid, gid) are mapped make sure they also exist under <saml2:AttributeStatement> along with their respective values.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4