Configuring Talend Administration Center SSO with SiteMinder - 7.1

EnrichVersion
7.1
EnrichProdName
Talend Big Data
Talend Big Data Platform
Talend Cloud
Talend Data Fabric
Talend Data Integration
Talend Data Management Platform
Talend Data Services Platform
Talend ESB
Talend MDM Platform
Talend Real-Time Big Data Platform
EnrichPlatform
Talend Administration Center
task
Administration and Monitoring > Managing authorizations

CA SiteMinder/Talend Administration Center SSO configuration Overview

Subscription

This article explains how to configure CA SiteMinder to implement Single-Sign On with Talend Administration Center.

CA SiteMinder Partnership Federation is used to construct a SAML 2.0 identity provider (IdP), in order to generate assertions for users.

These assertions are sent back to Talend Administration Center, where user settings and roles are assigned based on the SiteMinder configuration.
  1. The SSO process is initiated through a hard-coded link (e.g. http://host*/affwebservices/public/saml2sso?SPID=<SPEntityName>).
  2. This link redirects to the authentication page.
  3. If no user sessions exist, the user is redirected to the login page.
  4. When the user inputs valid credentials, there is a redirection to the assertion service (e.g. http://host1/affwebservices/public/saml2sso) and the assertions are generated.
  5. Assertions are formatted to an SAML 2.0 response in an auto-post form.
  6. Talend Administration Center gets SAML response when the form is submitted.
  7. Talend Administration Center retrieves attributes from the SAML 2.0 response, updates user attributes, processes role mapping.
  8. The user can then log in to Talend Administration Center.
1 is the host name or IP address of the server where Web Agent were installed.

Create User Directory Within CA SiteMinder

Subscription

SiteMinder IdP does not support multiple value attributes. User Role values should be separated by ",".

Procedure

  1. Navigate to Infrastructure > Directory > User Directories.
  2. In the Search results area, click Create User Directory.
  3. Set the User Directory configuration.
  4. Click Submit.

Results

Protect the Authentication URL

Subscription

Procedure

  1. Create the Agent configuration following the steps in the Agent Configuration Methods section from the SiteMinder documentation.
  2. Enable session creation following the steps in Protect the Authentication URL to Establish a Session.
  3. Select the User Directory created in Create User Directory.
  4. Select Basic as Authentication Scheme (default).
    Note: Talend Administration Center only supports basic authentication for the SiteMinder configuration. If you want to use form authentication, you need to use a custom plug-in.
  5. Ensure the Persistent Session check box is unselected.

Create Signing Certificate

Subscription

Procedure

  1. Log to the Administrative UI.
  2. Select Infrastructure > X509 Certificate Management > Trusted Certificates and Private Keys.
  3. Click Import New and follow the wizard.
    If you do not have a key/certificate pair, you can generate a self-signed certificate by clicking Request Certificate.

Create Local IdP Entity

Subscription

Procedure

  1. Navigate to Federation > Partnership Federation > Entities.
  2. Click Create Identity.
  3. Select the Entity type properties:
    • Entity Location - Local
    • New Entity Type - SAML2 IDP
  4. Click Next.
  5. Define the following properties for the Local IdP Entity:
    • Entity ID - samlIdp
    • Entity Name - samlIdp
    • Base URL - http://<identityProviderIPOrHost>:<port> (IP address of the server where SiteMinder is installed).
  6. Under Default Signature and Encryption Options, select the Signing Private Key Alias that you have created previously.
  7. Under Supported Name ID Formats and Attributes, select the Unspecified and Email Address check boxes.
  8. Click Next to confirm and to finalize the entity creation.

Create Remote SP Entity

Subscription

Procedure

  1. Navigate to Federation > Partnership Federation > Entities.
  2. Click Create Entity.
  3. Select the Entity type properties:
    • Entity Location - Remote
    • New Entity Type - SAML2 SP
  4. Click Next.
  5. Define the following properties for the Remote IdP Entity:
    • Entity ID - TACServiceProvider
    • Entity Name - TACServiceProvider
  6. Under Remote Assertion Consumer Service URLs, define:
    • Binding - HTTP-POST
    • URL - http://<TAC Host Url/IP>:<port>/<TAC>/ssologin (path to the Talend Administration Center SSO Servlet which authenticates users).
  7. Under Supported Name ID Formates and Attributes, select the Unspecified and Email Address check boxes.

Results

Create the Identity Provider / Service Provider Partnership

Subscription

This procedure involves several steps in SiteMinder. For ease of use, each step is referred to as the Step - Name of the Step.

Procedure

  1. Navigate to Federation > Partnership Federation > Partnerships.
  2. Click Create Partnership ("SAML2 IDP → SP").

Step - Configure partnership

Subscription

Procedure

  1. Define the following properties:
    • Partnership Name - <PartnershipName>
    • Local IDP - <SMIdPName> (Local Identity Provider created previously)
    • Remote SP - <TACSPName> (Remote Identity Provider created previously)
  2. Promote the user directory you have created from Available Directories to Selected Directories.
  3. Click Next.

Step - Federation Users

Subscription

Procedure

  1. Ensure User Class is set to All Users In Directory.
  2. Click Next.

Step - Assertion Configuration

Subscription

Procedure

  1. In the Name ID area, define the following properties:
    • Name ID format - *Email Address (format used by the IdP to send information to the Service Provider)
    • Name ID Type - User Attribute (value from the user attribute)
    • Value - <value> (defines the value attribute, based on the User Directory configuration)
  2. In the Assertion Attributes area, map the fields from the IdP (SAMLResponse) to the Service Provider:
    • Assertion attribute - tac.role
      • Retrieval Method - SSO
      • Format - Basic
      • Type - User Attribute
      • Value - tacRole
    • Assertion attribute - tac.projectType
      • Retrieval Method - SSO
      • Format - Basic
      • Type - User Attribute
      • Value - projectType

Results

Step - SSO and SLO

Subscription

Procedure

  1. In the Authentication, define the following properties:
    • Authentication Mode - Local
    • Authentication URL - http://<WAHostIP>/affwebservices/redirectjsp/redirect.jsp (URL to the redirect.jsp page on the AFF web service)
    • Configure AuthnContext - Use Predefined Authentication Class
    • Authentication Class - urn:oasis:names:tc:SAML:2.0:classes:Password (Authentication Context Class URL)
  2. In the SSO area, define the following properties:
    • Authentication Request Binding - HTTP-Redirect
    • SSO Binding - HTTP-POST
    • Transaction Allowed - Both IDP and SP initiated
  3. In the Remote Assertion Consumer Service URLs, define the following properties:
    • Index - 0
    • Binding - HTTP-POST
    • URL - http://<TACHost>:<port>/<TACApp>/ssologin (these values are the same as the ones defined from the SP entity configuration).

Results

Step - Signature and Encryption

Subscription

Procedure

Click Next (leave all default values).

Step - Confirm

Subscription

Procedure

Verify all settings and click Next.

Activate the Identity Provider / Service provider partnership

Subscription

Procedure

  1. Under the Actions column, click Action on the row corresponding to the partnership.
  2. Click Activate.

Test SSO login to Talend Administration Center

Subscription

Procedure

  1. Create a user on your LDAP server.
  2. Define the roles to be referenced in Talend Administration Center (e.g. tac_admin for administrators in Talend Administration Center, dp_dm for dataset managers in Talend Data Preparation) and project type (either DI, DQ, MDM or NPA - No project Access).
  3. Select the user.
  4. Double click the userPassword attribute.
  5. In the Verify Password field within the Password Editor window, input the user password.
  6. Click Bind: a popup window confirms the authentication is successful.
  7. Within your browser, open http://host1/affwebservices/public/saml2sso?SPID=<SPEntityName>.
  8. When prompted for credentials, input user uid/userPassword.
  9. Click Sign In. You are successfully logged into Talend Administration Center.
  10. Check user attributes and roles are set as expected.

Results

From this point, you are able to log onto Talend Administration Center using the SSO settings configured with SiteMinder.

For instructions on configuring SSO on Talend Administration Center, refer to the Accessing the Administration Center/Using SSO to log in to Talend Administration Center section of the Talend Administration Center User Guide.

1 is the host name or IP address of the server where Web Agent were installed.