SAML2 for CKAN

At the end of 2020, Keitaro’s team (a leading authority in CKAN) created and released ckanext-saml2auth, a CKAN extension that enables Single Sign On (SSO) for CKAN data portals via SAML2 Authentication.

We are proud to share that data.gov, the home of the U.S. Government’s open data, adopted Keitaro’s CKAN extension on their portal.  By using ckanext-saml2auth, data.gov’s users are now able to use the benefits from it in day to day business and focus on their mission to improve public access to high value, machine readable datasets. 

Data.gov is the U.S. government’s open data portal. The aim of the portal is to improve public access to high value, machine readable datasets. It provides data, tools, and resources to conduct research, develop web and mobile applications, design data visualizations, and more.

Data.gov is powered by CKAN, which is open-source and can be tailored to meet the unique requirements of any organization. It offers over 200+ available extra functionalities via extensions that can be easily added to any data portal. CKAN itself provides capabilities for data publishing, visualization tools, accessing data through an API, rich search experience, integration with third-party services, data harvesting from external sources and much more. 

About the extension

Many identity and access management (IAM) or access control solutions provide single sign-on (SSO). Verifying a user’s identity is important for determining which permissions each user should have. Single sign-on is a technology that integrates multiple diverse application login screens into one. With SSO, a user only has to insert their login credentials (username, password, etc.) just once on a single page in order to access all of their SaaS applications. SSO is generally considered to be more reliable, in regard to it being simpler and more convenient for users.

The extension is enforced by SAML2 Authentication, which is an XML-based open-standard for transferring identity data between two parties: an identity provider and a service provider. The identity Provider performs authentication and passes the user’s identity and authorization level to the service provider. The service provider trusts the identity provider and authorizes the given user to access the requested resource. The ckanext-saml2auth extension works with CKAN 2.9+ and can easily be installed on an existing CKAN data portal

The extension provides its users with: 

  • Saving time – users don’t have to create a new account for the CKAN instance  that the organization uses. Instead, the user can leverage the existing organization`s identity provider to log in to the CKAN instance and the extension will authenticate the credentials. 
  • Convenience – users don’t have to remember their password (or use the forgot password option). This enables a faster authentication process and reduces the user’s expectation of remembering multiple login credentials for each application.
  • Enhanced security measures – the accounts are safer and users don’t need to worry about the strength of any password. The SAML2 Authentication provides a single point of authentication, which happens at a secure identity provider. SAML2 Authentication transfers the identity information to the service providers. This form of authentication ensures that credentials are only sent to the IdP directly. 

If you want to install this extension to your own CKAN portal, check out our previous article on ckanext-saml2auth, or reach out to us for assistance. 

Leave a Reply