Configuring Talend Administration Center SSO with AD FS 3.0/4.0 - 7.3

EnrichVersion
7.3
EnrichProdName
Talend Big Data
Talend Big Data Platform
Talend Cloud
Talend Data Fabric
Talend Data Integration
Talend Data Management Platform
Talend Data Services Platform
Talend ESB
Talend MDM Platform
Talend Real-Time Big Data Platform
EnrichPlatform
Talend Administration Center
task
Administration and Monitoring > Managing authorizations

AD FS 3.0/4.0 Overview

Subscription

Active Directory Federation Services (AD FS) enables a decentralized identity sharing between business partners by implementing the WS-Federation protocol and standards such as WS-Trust and Security Assertion Markup Language (SAML). AD FS is used to generate assertions for users. These assertions are sent back to Talend Administration Center, where the user settings and roles are assigned based on the AD FS configuration.

You can configure AD FS 3.0 on Windows Server 2012 R2, or AD FS 4.0 on Windows Server 2016 to enable secure identity management and single sign-on (SSO) access to Talend Administration Center.

For more information on system requirements and getting started with AD FS, refer to the AD FS documentation.

Installing AD FS 3.0/4.0

Subscription
AD FS 3.0 runs on Windows Server 2012 R2. AD FS 4.0 runs on Windows Server 2016.

Before you begin

Talend Administration Center must be configured with HTTPS. For more information, see How to configure a bidirectional secure connection between Talend Studio and Talend Administration Center.

Procedure

  1. Open Server Manager.
  2. Click Manage > Add Roles and Features.
  3. In the Add Roles and Feature Wizard window, configure the installation based on your requirements.
  4. Install Active Directory Federation Services.
    For AD FS 4.0, you need to enable the AD FS properties EnableIdPInitiatedSignonPage and EnableRelayStateForIdpInitiatedSignOn by running the following commands:
    Set-AdfsProperties -EnableIdPInitiatedSignonPage:$true
Set-AdfsProperties -EnableRelayStateForIdpInitiatedSignOn:$true

Configuring AD FS 3.0/4.0

Subscription

Procedure

  1. In the Server Manager, click Tools > AD FS Management.
  2. Right-click Trust Relationships > Relying Party Trusts, and select Add Relying Party Trust....
  3. Click Start.
  4. Select Enter data about the relying party manually, then click Next.
  5. Enter a display name and click Next.
  6. Select AD FS profile and click Next.
  7. Click Next.
  8. On the Configure URL page, select the Enable support for the SAML 2.0 WebSSO protocol checkbox.
  9. Enter the single sign-on service URL in the Relying party SAML 2.0 SSO Service URL field.
    For example, https://localhost:8080/org.talend.administrator/ssologin.
  10. On the Configure Identifiers page, enter the same service URL as in step 9, then click Add and Next.
  11. Choose whether to configure multi-factor authentication settings.
  12. Leave the Permit all users to access this relying party option selected and click Next.

    You may change the issuance authorization rules later.

  13. Click Next, then Close.

    Leave the Open the Edit Claim Rules dialog for this relying party trust when the wizard closes checkbox selected.

Adding Claim Rules

Subscription
Use claim rules to define mandatory and optional custom attributes. The nameid-format attribute is mandatory.

Procedure

  1. In the Edit Claim Rules for... window, click Add Rule....
  2. Define the attributes to be send to Talend Administration Center via SAML response.
  3. Click OK.

    Follow the example configuration described in Configuring Custom Roles Claim Rule (Example) to add the mandatory nameid-format attribute.

Configuring Custom Roles Claim Rule (Example)

Subscription

Procedure

  1. In the Add Transform Claim Rule Wizard, select Send Claims Using a Custom Rule from the drop-down list, then click Next.
  2. Enter a Claim rule name, for example, EmailAddress.
  3. Enter the configuration to the Custom rule field. 
    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"), query = ";mail;{0}", param = c.Value);
  4. Click Finish.
  5. In the Edit Claim Rules for... window, click Add Rule....
  6. Select Send Claims Using a Custom Rule from the drop-down list, then click Next.
  7. Enter a Claim rule name, for example, NameId.
  8. Enter the configuration to the Custom rule field. 
    c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", Value = c.Value);
  9. Click Finish.
  10. In the Edit Claim Rules for... window, click Add Rule....
  11. Select Send Claims Using a Custom Rule from the drop-down list, then click Next.
  12. Enter a Claim rule name, for example, Attributes.
  13. Enter the configuration to the Custom rule field. 
    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("firstName", "lastName", "tac.projectType", "tac.role"), query = ";givenName,sn,displayName,department;{0}", param = c.Value);
  14. Click Finish.

Exporting Metadata

Subscription

Procedure

  1. Open AD FS Management.
  2. Navigate to Service > Endpoints and scroll down to the Metadata section.
  3. Note the path to the FederationMetadata.xml file.
  4. Download the metadata file from your AD FS host, for example, https://<ADFShost>/FederationMetadata/2007-06/FederationMetadata.xml.

Linking Talend Administration Center to an Identity Provider

Subscription

Procedure

  1. Log in to Talend Administration Center.
  2. From the Configuration page, expand the SSO node.
  3. If SSO has not been enabled yet, select true in the Use SSO Login field.
  4. Click Launch Upload in the IDP metadata field and upload the Identity Provider (IdP) metadata file you have previously downloaded from your Identity Provider system.
  5. In the Service Provider Entity ID field, enter the Entity ID of your Service Provider (available in the configuration of the IdP).
    For example, http://<host>:<port>/org.talend.administrator/ssologin in Okta and ADFS, or <Connection ID> in PingFederate.
  6. Click Launch Upload in the IDP Authentication Plugin field and upload the Identity Provider metadata file you have previously downloaded from the Identity Provider system.

    The jar files provided by Talend are located in the <TomcatPath>/webapps/org.talend.administrator/idp/plugins directory.

    It is possible to rewrite the authentication code if necessary.

    The Identity Provider System field changes automatically depending on your Identity Provider system.

  7. Click Identity Provider Configuration and fill out the required information.
    PingFederate
    • PingFederate SSO URL: https://win-350n8gtg2af:9031/idp/startSSO.ping?PartnerSpld=TAC701
    • Basic Adapter Instance ID: BasicAdapter
    Okta
    • Okta Organization URL: https://dev-515956.oktapreview.com
    • Okta Embedded Url: https://dev-515956.oktapreview.com/home/ talenddev515956_talendadministrationcenter_1/0oacvlcac5j52hFhP0h7/ alncvlmpk1VXbYAGu0h7

    AD FS 2

    • Adfs SSO Url: https://<host>/adfs/ls
    • Adfs Basic Auth Path: auth/basic
    • Adfs SP Entity Id: https://<host>:<port>/org.talend.administrator/ssologin
    AD FS 3
    • Adfs 3 SP Entity Id: https://<host>:<port>/org.talend.administrator/ssologin
    • Adfs 2 SSO Url: https://<host>/adfs/ls
  8. Set the Use Role Mapping field to true to map the application project types and the user roles with those defined in the Identity Provider system.
    Once you have defined project types/roles at the Identity Provider side, you cannot to edit them from Talend Administration Center.
  9. Click Mapping Configuration and fill in the role/project type fields with the corresponding SAML attributes previously set in the Identity Provider system.
    Project type examples:
    • MDM = MDM
    • DI = DI
    • DM = DM
    • NPA = NPA

    Role examples:

    • Talend Administration Center roles
      • Administrator = tac_admin
      • Operation Manager = tac_om

      Setting the Talend Administration Center roles is mandatory.

    • Talend Data Preparation roles
      • Administrator = dp_admin
      • Data Preparator = dp_dp
    • Talend Data Stewardship roles
      • Data Steward = tds_ds

    The project types and roles set in the Identity Provider will override the roles set in Talend Administration Center.

    The project types and roles set in the Identity Provider override the roles set in Talend Administration Center at user login.

    If your organization does not accept custom attributes in the SAML token, either:

    1. Select Show Advanced Configuration in the wizard and, in Path to Value, enter the XPath expression to target the SAML value to map to the corresponding Talend Administration Center object (Project Types, Roles, Email, First Name, Last Name).

      Example: /saml2p:Response/saml2:Assertion/saml2:AttributeStatement/saml2:Attribute[@Name='tac.projectType']/saml2:AttributeValue/text()

    2. Set Use Role Mapping to false.

      In this case, you cannot create users manually, but the user type and the user roles can be edited in Talend Administration Center.

      When users log in for the first time, their type is No Project Access.

    The default login timeout is set to 120 seconds, which you can change by adding the sso.config.clientLoginTimeout parameter with the desired timeout to the <ApplicationPath>/WEB-INF/classes/configuration.properties file.

Results

You are able to log in to Talend Administration Center through your Identity Provider.

Logging in to Talend Administration Center via AD FS

Procedure

After the configuration is finished, log in to Talend Administration Center through the AD FS SSO URL.
https://<host>/adfs/ls/idpinitiatedsignon