RapidMiner is introducing new capabilities that should be very interesting for large organizations that are looking to invest in ML & AI, but also need to take careful precautions around data governance and tightly manage access to information. As data governance for AI & ML moves into the forefront of conversations, it’s critical that your data science platform integrates and works seamlessly with your current corporate identity management and authentication systems so that you’re taking the same access precautions you would with any other platform that could potentially provide access to sensitive data. RapidMiner Server and Studio can now use the SAML protocol to interact with any identity provider, and incorporate RapidMiner users to the general user management of the company.
Upgrade and see for yourself how easy it is to manage both authentication and authorization with your company’s own identity provider.
The SAML protocol
SAML has become the standard protocol for exchanging authentication data between applications and Identity Providers. It creates a nice middle layer that allows applications to get user information from very different user management systems without needing the details of each implementation. New authentication features like 2- or multi-factor can be added without changes in the application.
How it works with RapidMiner Server
RapidMiner Server already provided the option to create users in its own user system or, alternatively, connect to an LDAP provider. With the new SAML support, users can also log in using any other corporate authentication system like Microsoft’s ADFS, Auth0 or even external providers like Google, AWS, etc.
In that case, when a user wants to log into the RapidMiner Server, he’s immediately re-directed to the external authentication page.
Once the user has successfully authenticated, he is returned back to Server and he can access the services as usual.
The integration also includes the possibility to map groups and roles defined in the external service with those in RapidMiner. That way, authorization is also managed, and administrators can provide users with a global seamless experience. If a user is a data scientist working in a particular area, he gets access to some RapidMiner resources, as well as, maybe, access to other applications related to his role. If he is an administrator, or a business user, he would get a different kind of access. This way, users and roles can be defined at the corporate level and RapidMiner links those roles with permissions and privileges depending on what that particular user or group of users is supposed to do with the software.
Here’s a simplified graph on how it works.
Logging in with RapidMiner Studio
RapidMiner Studio logs into RapidMiner Server when a user connects to the Server repository. In this case, the user experience is similar. Instead of just requesting a user and a password, the user is redirected to the external authentication service.
Once he successfully logs in, he can work with the repository as usual.
Also, folder and object permissions in Studio are related to the authorization defined in Server for his role.
If needed, Studio users can also explicitly log off.
Some use cases
One use case that’s getting more common is two- or multiple-factor authentication. A username and a password might not be enough, and companies want to make sure a user is who he says he is. In that case, a second authentication method is added, which might be a phone app which provides an additional token, or a message with a code sent to the user’s phone, or anything like that. This way, even if someone could get hold of some passwords, accounts would still be safe.
This configuration is now supported in RapidMiner, as long as your Identity Provider supports it.
Some companies use Microsoft or Google accounts for their employees to access internal applications. Why not using them for RapidMiner? Well, now it’s possible, along with many others like BitBucket, Auth0, AWS or even Facebook or Dropbox.
Of course, we’ll still support simple LDAP, both via SAML or through our standard connection.
Configuring RapidMiner Server for your particular Identity Provider is very easy. The whole configuration is done in a single file (local-security.properties) and most of the information is provided by simply importing your IdP’s metadata xml file.
Authorization is still done within RapidMiner Server. There, you can map your organization’s groups (defined in the Identity Provider) with RapidMiner groups and roles, to make sure each user receives the right permissions. You can also create a default group with minimal permissions for those users who access the system for the first time.
Once that’s done, the system is ready for users to log in. And the good news is that there is no additional effort needed after that. Once the groups have been set up, all user management can be done within the Identity Provider at the organization’s level.
Summing it up
RapidMiner’s integration with the SAML protocol provides a great way to seamlessly blend RapidMiner’s user system with the corporate one. The corporate authentication system can be used, and the administrators only need to link users with groups and permissions to produce a global user experience.
Learn more about SAML Authentication with RapidMiner.