Configuring Talend Administration Center SSO with PingFederate - 7.2

EnrichVersion
7.2
EnrichProdName
Talend Big Data
Talend Big Data Platform
Talend Cloud
Talend Data Fabric
Talend Data Integration
Talend Data Management Platform
Talend Data Services Platform
Talend ESB
Talend MDM Platform
Talend Real-Time Big Data Platform
EnrichPlatform
Talend Administration Center
task
Administration and Monitoring > Managing authorizations

PingFederate Overview

Subscription

This document introduces how to configure PingFederate to enable secure outbound and inbound solutions for single sign-on (SSO) to Talend Administration Center.

PingFederate provides browser-based SSO to enable secure identity information exchange across domains. It extends employee, customer, and partner identities without passwords, using only standard identity protocols such as SAML 2.0.

Note that SSO is only supported for Talend Administration Center. Talend Studio itself does not support SSO, although it works by passing credentials through Talend Administration Center. Talend only supports the HTTP Basic and HTML Form adapters. Other adapters are not supported.

For more information on system requirements and getting started with PingFederate, refer to the PingFederate documentation.

Creating Certificates in PingFederate

Subscription

Before you begin

You must have an administrator PingFederate account configured.

Procedure

  1. Go to the Security tab.
  2. Under Certificate & Key Management, click SSL Server Certificates.
  3. Click Create New.
  4. On the Create Certificate tab, enter the required information and click Next.
    The Common name is the host name.
  5. Verify the information on the Summary tab and make the certificate active, then click Done.

Exporting certificates to Talend Administration Center

About this task

Procedure

  1. On the Certificate Management tab, click Activate for Runtime Server then Activate for Admin Console.
  2. Click Export to download the certificate.
  3. On the Export Certificate tab, select Certificate Only and click Next.
  4. Verify the information on the Export & Summary tab, then click Export.
    Add the certificate to the Talend Administration Center server's Java keystore.
  5. After clicking Done, you are directed back to the Certificate Management tab.
  6. Click Save.

Importing a Certificate for Signing

Subscription

Procedure

  1. Go to the Security tab.
  2. Under Certificate & Key Management, click SSL Server Certificates.
  3. Click Import.
  4. On the SSL Server Certificates | Import Certificate page, upload your certificate and enter your password, then click Next.
  5. Verify the information on the Summary tab, then click Save.
    You are directed back to the Security page.

Creating a Credential Validator

Subscription

Procedure

  1. Go to the System tab.
  2. Under External Systems, click Password Credential Validators.
  3. Click Create New Instance.
  4. Fill in the required information on the Type tab, then click Next.

    In the TYPE field, select Simple Username Password Credential Validator.

  5. On the Instance Configuration tab, click Add a new row to 'Users'.
    Fill in the required information, then click Update and Next.
  6. Verify the information on the Summary tab, then click Done.
    You are directed back to the Manage Credential Validator Instances page.
  7. Click Save.

Creating Adapters

Subscription
Note that Talend only supports the HTTP Basic and HTML Form adapters. Other adapters are not supported.

Procedure

  1. Go to the Identity Provider tab.
  2. Under Application Integration, click Adapters.
  3. Click Create New Instance and create the adapters you need as detailed below.
  4. Click Save.

Creating a HTML Form IdP Adapter

Subscription

Procedure

  1. Navigate to the Type tab on the Manage IdP Adapter Instance | Create Adapter Instance page.
  2. Fill in the required information (Instance Name and Instance ID) and select the HTML Form IdP Adapter as Type, then click Next.
  3. On the IdP Adapter tab, click Add a new row to 'Credential Validators' and select the validator created in Creating a Credential Validator.
  4. Click Update, then Next.
  5. On the Extended Contract tab, click Next.
  6. On the Adapter Attributes tab, select the Pseudonym value, then click Next.
  7. On the Adapter Contract Mapping tab, click Next.
  8. Verify the information on the Summary tab, then click Done.
    You are directed back to the Manage IdP Adapter Instances page.

Creating a HTTP Basic IdP Adapter

Subscription

Procedure

  1. Navigate to the Type tab on the Manage IdP Adapter Instance | Create Adapter Instance page.
  2. Fill in the required information (Instance Name and Instance ID) and select the HTTP Basic IdP Adapter as Type, then click Next.
  3. On the IdP Adapter tab, click Add a new row to 'Credential Validators' and select the validator created in Creating a Credential Validator.
  4. Click Update, then Next.
  5. On the Extended Contract tab, click Next.
  6. On the Adapter Attributes tab, select the Pseudonym value, then click Next.
  7. On the Adapter Contract Mapping tab, click Next.
  8. Verify the information on the Summary tab, then click Done.
    You are directed back to the Manage IdP Adapter Instances page. You must create an HTML Form IdP Adapter as well. For instructions, see Creating a HTML Form IdP Adapter.

Creating SP Connections

Subscription

Procedure

  1. Go to the Identity Provider tab.
  2. Under SP Connections, click Create New.
  3. On the Connection Type tab, leave the default connection template selected and click Next.
  4. On the Connection Options tab, leave the default option and click Next.
  5. On the Import Metadata tab, select None and click Next.
  6. On the General Info tab, fill in the Partner's Entity ID, Connection Name, and Base URL fields, then click Next.
  7. On the Browser SSO tab, click Configure Browser SSO and configure the SSO.
    For instructions, see the dedicated section.
  8. After configuring the browser SSO, click Next.
  9. On the Credentials tab, click Configure Credentials and configure the credentials.
    For instructions, see the dedicated section.
  10. After configuring the credentials SSO, click Next.
  11. On the Activation & Summary tab, select Active in the Connection Status field.
    Take note of the SSO Application Endpoint address.
  12. Verify the rest of the information, then click Save.

Configuring Browser SSO

Subscription

Procedure

  1. On the SP Connection | Browser SSO page, navigate to the SAML Profiles tab.
  2. Select IDP-INITIATED SSO under Single Sign-On (SSO) Profiles and click Next.
  3. On the Assertion Lifetime tab, leave the default values in the Minutes Before and Minutes After fields and click Next.
  4. On the Assertion Creation tab, click Configure Assertion Creation.
    Configure the assertion as detailed in the dedicated section.
  5. After configuring the assertions, click Next.
  6. On the Protocol Settings tab, click Configure Protocol Settings.
    Configure the protocol as detailed in the dedicated section.
  7. After configuring the protocol settings, click Next.
  8. Verify the information on the Summary tab, then click Done.

Configuring Assertions

Subscription

Procedure

  1. On the SP Connection | Browser SSO | Assertion Creation page, navigate to the Identity Mapping tab.
  2. Select Standard identity mapping and click Next.
  3. On the Attribute Contract tab, select urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress as the subject name format from the SAML_Subject drop-down list.
  4. Define the attributes for role mapping, then click Next.
  5. On the Authentication Source Mapping tab, click Map New Adapter Instance.
    Map the new adapter instances as described below.
  6. After the mapping is configured, click Next.
  7. Verify the information on the Summary tab, then click Done.

Mapping HTML Form IdP Adapter Instance

Subscription

Procedure

  1. On the SP Connection | Browser SSO | Assertion Creation | IdP Adapter Mapping page, navigate to the Adapter Instance tab.
  2. From the Adapter Instance drop-down list, select the HTML Form IdP Adapter created previously and click Next.
  3. On the Mapping Method tab, select Use only the adapter contract values in the SAML assertion option and click Next.
  4. On the Attribute Contract Fulfillment tab, select Adapter from the Source, and username from the Value drop-down list.
  5. Select Text from the drop-down lists of the attributes and provide their values.
  6. Click Next.
  7. On the Issuance Criteria tab, leave the fields empty and click Next.
  8. Verify the information on the Summary tab, then click Done.

    The HTML Form IdP Adapter is configured. You are directed back to the Assertion Creation page.

Mapping HTTP Basic IdP Adapter Instance

Subscription

Procedure

  1. On the SP Connection | Browser SSO | Assertion Creation | IdP Adapter Mapping page, navigate to the Adapter Instance tab.
  2. From the Adapter Instance drop-down list, select the HTML Form IdP Adapter created previously and click Next.
  3. On the Mapping Method tab, select Use only the adapter contract values in the SAML assertion option and click Next.
  4. On the Attribute Contract Fulfillment tab, select Adapter from the Source, and username from the Value drop-down list.
  5. Select Text from the drop-down lists of the attributes and provide their values.
  6. Click Next.
  7. On the Issuance Criteria tab, leave the fields empty and click Next.
  8. Verify the information on the Summary tab, then click Done.

    The HTTP Basic IdP Adapter is configured. You are directed back to the Assertion Creation page.

What to do next

You must map the HTML Form IdP Adapter as well. For instruction, see Mapping HTML Form IdP Adapter Instance.

If the HTML Form IdP Adapter instance is already mapped, continue the procedure in Configuring Assertions.

Configuring Protocol Settings

Subscription

Procedure

  1. On the SP Connection | Browser SSO | Protocol Settings page, navigate to the Assertion Consumer Service URL tab.
  2. Tick the Default check box.
  3. From the Binding drop-down list, select POST.
  4. In the Endpoint URL field, enter the Talend Administration Center SSO address. This URL should read like https://iam.<env>.cloud.talend.com/oidc/ssologin, where <env> is the name of your Cloud region, for example:
  5. Click Add, then Next.
  6. On the Signature Policy tab, leave the check box empty and click Next.
  7. On the Encryption Policy tab, leave the default option selected (None) and click Next.
  8. Verify the information on the Summary tab, then click Done.

Configuring Credentials

Subscription

Procedure

  1. On the SP Connection | Credentials page, navigate to the Digital Signature Settings tab.
  2. From the Signing Certificate drop-down list, select the certificate imported in Importing a Certificate for Signing.
  3. Tick the Include the certificate in the signature <keyinfo> element. check box.
  4. Tick the Include the raw key in the signature <keyvalue> element. check box, then click Next.
  5. Verify the information on the Summary tab, then click Done.

Exporting Metadata

Subscription

Procedure

  1. Go to the System tab.
  2. Under METADATA, click Metadata Export.
  3. On the Metadata Mode tab, leave the default selection and click Next.
  4. On the Connection Metadata tab, select the connection created in Creating SP Connections and click Next.
  5. From the Signing Certificate drop-down list, select the certificate imported in Importing a Certificate for Signing.
  6. Tick the Include the certificate in the signature <keyinfo> element. check box.
  7. Tick the Include the raw key in the signature <keyvalue> element. check box, then click Next.
  8. Verify the information on the Export & Summary tab, then click Export.
  9. Save the exported metadata file, then click Done.

Linking Talend Administration Center to an Identity Provider

Subscription

Procedure

  1. Log in to Talend Administration Center.
  2. From the Configuration page, expand the SSO node.
  3. If SSO has not been enabled yet, select true in the Use SSO Login field.
  4. Click Launch Upload in the IDP metadata field and upload the Identity Provider (IdP) metadata file you have previously downloaded from your Identity Provider system.
  5. In the Service Provider Entity ID field, enter the Entity ID of your Service Provider (available in the configuration of the IdP).
    For example, http://<host>:<port>/org.talend.administrator/ssologin in Okta and ADFS, or <Connection ID> in PingFederate.
  6. Click Launch Upload in the IDP Authentication Plugin field and upload the Identity Provider metadata file you have previously downloaded from the Identity Provider system.

    The jar files provided by Talend are located in the <TomcatPath>/webapps/org.talend.administrator/idp/plugins directory.

    It is possible to rewrite the authentication code if necessary.

    The Identity Provider System field changes automatically depending on your Identity Provider system.

  7. Click Identity Provider Configuration and fill out the required information.
    PingFederate
    • PingFederate SSO URL: https://win-350n8gtg2af:9031/idp/startSSO.ping?PartnerSpld=TAC701
    • Basic Adapter Instance ID: BasicAdapter
    Okta
    • Okta Organization URL: https://dev-515956.oktapreview.com
    • Okta Embedded Url: https://dev-515956.oktapreview.com/home/ talenddev515956_talendadministrationcenter_1/0oacvlcac5j52hFhP0h7/ alncvlmpk1VXbYAGu0h7

    AD FS 2

    • Adfs SSO Url: https://<host>/adfs/ls
    • Adfs Basic Auth Path: auth/basic
    • Adfs SP Entity Id: https://<host>:<port>/org.talend.administrator/ssologin
    AD FS 3
    • Adfs 3 SP Entity Id: https://<host>:<port>/org.talend.administrator/ssologin
    • Adfs 2 SSO Url: https://<host>/adfs/ls
  8. Set the Use Role Mapping field to true to map the application project types and the user roles with those defined in the Identity Provider system.
    Once you have defined project types/roles at the Identity Provider side, you cannot to edit them from Talend Administration Center.
  9. Click Mapping Configuration and fill in the role/project type fields with the corresponding SAML attributes previously set in the Identity Provider system.
    Project type examples:
    • MDM = MDM
    • DI = DI
    • DM = DM
    • NPA = NPA

    Role examples:

    • Talend Administration Center roles
      • Administrator = tac_admin
      • Operation Manager = tac_om

      Setting the Talend Administration Center roles is mandatory.

    • Talend Data Preparation roles
      • Administrator = dp_admin
      • Data Preparator = dp_dp
    • Talend Data Stewardship roles
      • Data Steward = tds_ds

    The project types and roles set in the Identity Provider will override the roles set in Talend Administration Center.

    The project types and roles set in the Identity Provider override the roles set in Talend Administration Center at user login.

    If your organization does not accept custom attributes in the SAML token, either:

    1. Select Show Advanced Configuration in the wizard and, in Path to Value, enter the XPath expression to target the SAML value to map to the corresponding