3.1 Authentication integration with SAML

Hopara supports SP initiated single sign on with SAML. The first step is to get an access token using the client id and secret provided by the Hopara support team. This token should be used in the subsequent Hopara requests.

curl --request POST \
  --url https://auth.hopara.app/token \
  --header 'Content-Type: application/json' \
  --data '{
	"clientId": "[your client id]",
	"clientSecret": "[your secret]"
}

Then you can get the SSO information by calling the SAML endpoint. You will use this information when adding the Hopara application in your IDP.

curl --location 'https://auth.hopara.app/saml/info?tenant=[your_domain.com] --header 'authorization: Bearer [your_token]'

Example response:

{
    "singleSignOnUrl":"https://xxx.auth.us-east-1.amazoncognito.com/saml2/idpresponse",
    "audienceUri":"urn:amazon:cognito:sp:yyy"
}

Adding an application in the IDP

The configuration below should be set when adding the Hopara application in your IDP.

General Settings

Logo: Download here
Single sign-on URL: The single sign on URL fetched previously from the SAML endpoint
Audience URI (SP Entity ID): The audience URI fetched previously from the SAML endpoint

Attribute Statements

Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Value: user.email
Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Value: user.firstName

Group Attribute Statements

Name: groups
Filter: Matches Regex: .*

Okta specifics

Are you a customer or partner: I'm an Okta customer adding an internal app
App type: This is an internal app that we have created

Permissions

Hopara supports the following permission groups that you can assign to users in your IDP.

You should assign only one group per user. The groups on the top inherit the permission from the groups on the bottom (e.g. the studio profile inherits the scene-builder and visualization permissions).

Group	Permissions
hopara:profile:admin	Manage users
hopara:profile:data	Create new datasources and queries
hopara:profile:studio	Create new visualizations and customize them
hopara:profile:scene-builder	Manage assets and rooms (e.g. move and place assets)
hopara:profile:visualization	View only

Feeding back the IDP information to Hopara

After the app is added to the IDP you should have access to the metadata URL. This should be added back to Hopara. You can do so by calling the saml/configure endpoint.

curl --location 'https://auth.hopara.app/saml/configure' \
--header 'Content-Type: application/json' \
--header 'authorization: Bearer [your_token]' \
--data '{
    "tenant": "yourdomain.com",
    "metadataUrl": "metadata URL from your IDP"
}'

Testing

You can test the integration by trying to log in on https://hopara.app.