This page contains information on how to leverage Active Directory groups within Cinchy.
Cinchy Groups are containers that contain Users and other Groups within them as members, and used to provision access controls throughout the platform. Cinchy Groups enable centralized administration for access controls.
Groups are defined in the "Groups" table within the Cinchy domain. By default this table can only be managed by members of the Cinchy Administrators group. Each group has the following attributes:
Name - Group name, this must be unique across all groups within the system
Users - Users which are members of the group
User Groups - Groups which are members of the group
Owners - Users which are able to administer the membership of this group. By default Owners are also members of the group (i.e. they do not need to also be added into Users).
Owner Groups - Groups whose members are able to administer the membership of this group. By default, members of Owner Groups are also members of the group (i.e. they do not need to also be added into Users or User Groups).
Group Type - Either "Cinchy Group" or "AD Group". If this is a "Cinchy Group", this means that membership is maintained directly in Cinchy. If this is an "AD Group", then a sync process will be leveraged to maintain the membership and overwrite the Users.
Create a new record within the Groups Table with the same name as the AD Group (use the cn attribute).
Set the Group Type = "AD Group".
Update the Name attribute of the existing group record to match the AD Group (use the cn attribute).
Set the Group Type to "AD Group".
AD Groups defined in Cinchy have their members sync'ed from AD through a batch process that leverages the Cinchy Command-line-interface (CLI).
The sync operation performs the following high-level steps:
Fetches all Cinchy registered AD Groups using a Saved Query.
Retrieves the usernames of all members for each AD Group. The default attribute for username that is retrieved is "userPrincipalName", but configurable as part of the sync process.
For each AD Group, loads the users that are both a member in AD and exist in the Cinchy Users table (matched on the Username) into the "Users" attribute of the Cinchy Groups table.
Cinchy CLI Model must be installed in your instance of Cinchy, steps are mentioned here
An instance of the Cinchy CLI must be available to execute the sync
A task scheduler is required to perform the sync on a regular basis (e.g. Autosys)
Create a new query within Cinchy with the below CQL to fetch all AD Groups from the Groups table. The domain & name assigned to the query will be referenced in the subsequent step.
Copy the below XML into a text editor of your choice and update the attributes listed in the table below the XML to align to your environment specific settings. Once complete, create an entry with the config in your Data Sync Configurations table (part of the Cinchy CLI model).
If the userPrincipalName attribute in Active Directory does not match what you expect to have as the Username in the Cinchy Users table (e.g. if the SAML token as part of your SSO integration returns a different ID), then you must replaceuserPrincipalNamein the XML config with the expected attribute.
The userPrincipalName appears twice in the XML, once in the LDAPDataSource Columns and once in the CinchyTableTarget ColumnMappings.
The below CLI command (see here for additional information on the syncdata command) should be used to execute the sync. Update the command parameters (described in the table below) with your environment specific settings. Execution of this command can be scheduled at your desired frequency using your scheduler of choice.
The user account credentials provided in above CLI syncdata command must have View/Edit access to Cinchy Groups table.
This page walks through the integration of an Identity Provider with Cinchy via SAML Authentication
Cinchy supports integration with any Identity Provider that issues SAML tokens (e.g. Active Directory Federation Services) for authenticating users. It follows an SP Initiated SSO pattern where the SP will Redirect to the IdP and the IdP must submit the SAML Response via an HTTP Post to the SP Assertion Consumer Service. Below is a diagram outlining the flow when a non-authenticated user attempt to access a Cinchy resource.
Cinchy must be registered with the Identity Provider. As part of that process you'll supply the Assertion Consumer Service URL, choose a client identifier for the Cinchy application, and generate a metadata XML file.
The Assertion Consumer Service URL for Cinchy is the base URL for the CinchySSO application followed by "/{AcsURLModule}/Acs" e.g. https://myCinchyServer/CinchySSO/identity/AuthServices/Acs. {AcsURLModule} value needs to be defined in appsettings.json file
To enable SAML authentication within Cinchy, follow the below steps:
You can find the necessary metadata XML from the applicable identity provider you're using the login against. Place the metadata file in the deployment directory of the CinchySSO web application.
If you are using ADFS for this process, you can find your metadata XML at the following link, inputting your own information for <your.AD.server>: https://<your.AD.server>/FederationMetadata/2007-06/FederationMetadata.xml
2. Update the value of the below app settings in the CinchySSO appsettings.json file.
SAMLClientEntityId - The client identifier chosen when registering with the Identity Provider
SAMLIDPEntityId - The entityID from the Identity Provider metadata XML
SAMLMetadataXmlPath - The full path to the metadata XML file
AcsURLModule - This parameter is needs to be configured as per your SAML ACS URL.
Example ACS URL: "https:///CinchySSO/identity/AuthServices/Acs"
Example parameter value: "/identity/AuthServices"
3. The following parameters pertain to signed SAML IdP requests. Within the IDPSSODescriptor tag of the metadata is the below WantAuthnRequestSigned attribute:
If the value for this attribute is set to "true" then your Identity Provider is expecting the request to be "Signed". In this case, please enter the following parameters:
SAMLSignCertificatePath - This parameter needs to be the path for the PFX file of the certificate. This must match the same certificate in your identity provider.
SAMLSignCertificatePassword - This parameter is the password for the above mentioned PFX file. You may choose to encrypt it or not.
SAMLSignCertificateMinAlgorithm - This parameter is optional and only needed for PFX files that are generated at different algorithm levels.
The possible options for this parameter are:
SHA1
SHA256
SHA384
SHA512
http://www.w3.org/2000/09/xmldsig#rsa-sha1
http://www.w3.org/2000/09/xmldsig#rsa-sha256
http://www.w3.org/2000/09/xmldsig#rsa-sha384
http://www.w3.org/2000/09/xmldsig#rsa-sha512
4. If the Identity Provider is configured for the request to be encrypted please provide a PFX file, with a non-empty password, for the below attributes:
SAMLEncryptedCertificatePath - This parameter needs to be the path for the PFX file of the certificate. This must match the same certificate in your identity provider.
SAMLEncryptedCertificatePassword - This parameter is the password for the above mentioned PFX file.
Once SSO is enabled, the next time a user arrives at the Cinchy login screen they will see an additional button "Single Sign-On". Before a user is able to login through the SSO flow, the user must be set up in Cinchy with the appropriate authentication configuration. See the User Management section below for instructions on how to perform this setup.
Users in Cinchy are maintained within the Users table in the Cinchy domain. Each user in the system is configured with 1 of 3 Authentication Methods:
Cinchy User Account - These are users that are created and managed directly in the Cinchy application. They log into Cinchy by entering their username and password on the login screen.
Non Interactive - These accounts are intended for application use.
Single Sign-On - These users authenticate through the SSO Identity Provider (configured using the steps above). They log into Cinchy by clicking the "Login with Single Sign-On" link on the login screen.
Create a new record within the Users table with the Authentication Method set to "Single Sign-On".
The password field in the Users table is mandatory. For Single Sign-On users, the value entered is ignored. You can input "n/a".
Change the Authentication Method of the existing user to "Single Sign-On".
Once a user is configured for SSO, they can then click the "Login with Single Sign-On" link on the login page and that will then take them through the Identity Provider's authentication flow and bring them into Cinchy.
Once SSO has been enabled on your instance of Cinchy, by default, any user that does not exist in the Cinchy Users table will not be able to login regardless if they are authenticated by the Identity Provider.
Enabling Automatic User Creation means that upon login, if the Identity Provider authorizes the user, an entry for this user will automatically be created in the Cinchy Users table if one does not already exist. This means that any SSO authenticated user is guaranteed to be able to access the platform.
See below for details on how to enable Automatic User Creation.
Users that are automatically added will not be allowed to create or modify tables and queries. To provision this access, Can Design Tables and Can Design Queries must be checked on the User record in the Cinchy Users table.
The Identity Provider configuration must include the following claims in addition to the base configuration in the SAML token response:
First Name
Last Name
In order to enable automatic group assignment for newly created users (applicable if you plan on using AD Groups), then also include an attribute that captures the groups that this user is a member of (e.g. memberOf field in AD)
Enabling automatic user creation requires the following changes to the appsettings.json file in the CinchySSO web application.
Add "ExternalClaimName" attribute values under "ExternalIdentityClaimSection" in appsettings.json file. Do not add the value for "MemberOf" if you don't want to enable automatic group assignment .
The ExternalClaimName value must be updated to create a mapping between the attribute name in the SAML response and the required field. (e.g. http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname is the name in the SAML response for the FirstName field)
If you are syncing someone with a lot of ADFS groups, the server may reject the request for the header being too large. If you are able to login as a user with a few groups in ADFS but run into an error with users with a lot of ADFS groups (regardless of if those ADFS groups are in Cinchy), you will need to make 2 changes.
In your CinchySSO app settings, you will also need to increase the max size of the request header.
The following outlines the configuration required in Active Directory Federation Services (ADFS) to enable Single Sign-On (SSO).
On your ADFS Server, Open AD FS Management.
Righ-click on Relying Party Trusts and select Add Relying Party Trust. This will launch the Add Relying Party Trust Wizard.
Select Claims aware. Click Start.
Choose Enter data about the relying party manually. Click Next.
Enter a Display Name of your choice.
Do not choose any certificates.
Select Enable support for the SAML 2.0 SSO Web SSO protocol.
Enter your login URL in the following format:
Choose an Identifier and click Next until you are complete.
Right-click on the Relying Party Trust you just created (look for the Display Name) and click Edit Claim Issuance Policy.
Click on the Add Rule... and choose Claim Rule as Send LDAP Attributes as Claims.
Add Claim rule name, choose Active Directory under Attribute store and map LDAP attribute to outgoing claim types:
4. Click Finish.
5. Click on Edit Rule...
6. Click on View Rule Language and copy out the Claim URLs for the claims defined. This information will be needed in a later step to configure your Cinchy appsettings.json. This will look something like this:
7. Click Ok to save the rule.
8. Right-click on your Relying Party Trust again and click Properties.
9. Go to the Advanced tab and set the secure hash algorithm to SHA-256
Everything below is case sensitive and must match whatever is specified in your SAML IdP configuration.
Open https://<your.AD.server>/FederationMetadata/2007-06/FederationMetadata.xml in a browser and save the XML file in the cinchysso folder.
Open IIS Manager and create an HTTPS binding on the Cinchy site (if necessary).
Go to sso site and bind HTTPS with it. Make sure to use the same port as the login URL above if specified.
You will need the Rule Language URLs you copied out from the ADFS Configuration above. Using the same example as above, we would get the following (replace with your own URLs).
Add the 3 following lines to your web.config within the appSettings section:
If you are using Azure AD for this process, you can find your metadata XML by
If you are using GSuite for this process, you can find your metadata XML by
If you are using Okta for this process, you can find your metadata XML by
If you are using Auth0 for this process, you can find your metadata XML by
If you are using PingIdentity for this process, you can find your metadata XML by
When configuring the Identity Provider, the only required claim is a user name identifier. If you plan to enable automatic user creation, then additional claims must be added to the configuration. Click for more information.
If a user successfully authenticates with the Identity Provider but has not been set up in the Users table, then they will see the following error message - " You are not a registered user in Cinchy . Please contact your Cinchy administrator." To avoid the manual step to add new users, you can consider enabling .
In addition to creating a user record, if AD Groups are configured within Cinchy, then the authenticated user will automatically be added to any Cinchy mapped AD Groups where they are a member. See for additional information on how to define AD Groups in Cinchy.
For more details on the app settings see the app settings section of .
XML Tag
Attribute
Content
LDAPDataSource
ldapserver
The LDAP server url
(e.g. LDAP:\\activedirectoryserver.domain.com)
LDAPDataSource
username
The encrypted username to authenticate with the AD server
(generated using the CLI's encrypt command -
dotnet Cinchy.CLI.dll encrypt -t "Domain/username").
LDAPDataSource
password
The encrypted password to authenticate with the AD server
(generated using the CLI's encrypt command -
dotnet Cinchy.CLI.dll encrypt -t "password").
LDAPDataSource -> Filter
Domain Name
The domain of the Saved Query that retrieves AD Groups
LDAPDataSource -> Filter
Query Name
The name of the Saved Query that retrieves AD Groups
Options
Description
-s, --server
Required. The full path to the Cinchy server without the protocol
(e.g. cinchy.co/Cinchy).
-u, --userid
Required. The user id to login to Cinchy.
This account must have access to edit the Groups table
-p, --password
Required. The encrypted password of the specified user
(generated using the CLI's encrypt command -
dotnet Cinchy.CLI.dll encrypt -t "password").
-m, --model
Required. The Cinchy model to use for retrieval of batch configuration information and persistence of the execution log.
-d, --tempdirectory
Required. The path to a directory that the CLI can use for storing temporary files to support the sync (e.g. partitioned data).
Attribute | Value |
CinchyLoginRedirectUri |
|
CinchyPostLogoutRedirectUri |
|
CertificatePath |
|
SAMLClientEntityId | Relying party identifier from Relying Party Trust above |
SAMLIDPEntityId |
Your FederationMetadata.xml will have this near the beginning. Note that this is the entityID, not the ID. |
SAMLMetadataXmlPath |
This is the location where you placed the FederationMetadata.xml in step 1. |
SAMLSSOServiceURL | In Domain controller, in-service endpoints, look for type Saml 2, URL path: Same as the login URL provided to the wizard in the ADFS Configuration |
AcsURLModule |
|
MaxRequestHeadersTotalSize | Integer Bytes to set the max request header to. If the default (likely 32kb) does not work, you may have to set this larger to accommodate a large number of groups. |
MaxRequestBufferSize | Integer This should be equal or larger than your header's total size above. |
MaxRequestBodySize | Integer If any of these values are -1 they will use the default. It is not necessary to change the body size. |
LDAP Attribute | Outgoing Claim Type | Comments |
User-Principal-Name | Name ID |
SAM-Account-Name | sub |
|
Given-Name | Given Name |
Surname | Surname |
E-Mail-Address | E-Mail Address |
Is-Member-Of-DL | Role |
Necessary for
Necessary for
Necessary for
Necessary for
