Configuring the SAML server - Cloud

Talend Cloud Data Catalog Administration Guide
EnrichVersion
Cloud
EnrichProdName
Talend Cloud
EnrichPlatform
Talend Data Catalog
task
Administration and Monitoring
Data Governance
SubscriptionAWS

Configure the SAML server to enable the external authentication server using the SAML 2.0 protocol.

Before you begin

  • As an administrator, you have configured the Talend Cloud Data Catalog application in your identity provider system.
  • As an administrator, you have set up the users and the user attributes of your application in your identity provider system.
  • You have signed in as a user assigned to the Administrators or Security Administrators group.

Procedure

  1. Go to MANAGE > Users.
  2. In the Authentication field of the toolbar, select SAML from the drop-down list.
  3. Click the Configure authentication icon next to the drop-down list.
  4. In the Connection tab, fill in the required information to link Talend Cloud Data Catalog to your identity provider.
    Field Action
    IdP Entity ID Enter the unique name for your identity provider.
    X509 Certificate Enter the public X509 certificate of your identity provider which allows Talend Cloud Data Catalog to verify the signatures and establish trust in the exchanged messages.
    SSO HTTP-POST Binding URI Enter the HTTP-POST Binding URI, such as https://idp.example.org/SAML2/SSO/POST.

    The identity provider returns the SAML response to a Talend Cloud Data Catalog assertion consumer service using the HTTP-POST Binding.

    Note: As Talend Cloud Data Catalog does not have the private key of the identity provider, the SAML assertion received by Talend Cloud Data Catalog can be signed but not encrypted.

    To validate the signature, Talend Cloud Data Catalog only needs the identity provider’s public key. The assertion requires to be signed, so that Talend Cloud Data Catalog can verify that the assertion contents have not been altered in transit.
    SSO HTTP-Redirect Binding URI Enter the HTTP-Redirect Binding URI, such as https://idp.example.org/SAML2/SSO/Redirect.

    Talend Cloud Data Catalog sends a SAML authentication request to the identity provider SSO service using the HTTP-Redirect Binding.

    Note: As Talend Cloud Data Catalog does not have the private key of the identity provider, the SAML authentication request sent by Talend Cloud Data Catalog is neither signed nor encrypted. Since the request usually does not contain much private data, there is little need to encrypt the SAML request.
  5. In the Attribute Mappings tab, map the attributes from the external user account to the Talend Cloud Data Catalog user attributes, such as Login, Full Name, Email or Groups.
    To enable the automatic group assignment, you can fill in the Groups attribute with the corresponding field name in the user account information. Talend Cloud Data Catalog uses the value of this field as the security group assignment.
  6. In the Group Mappings tab, map the group attribute from the external user account to the Talend Cloud Data Catalog group name.
    You switch from native group assignment to SAML driven group assignment for all SAML users. As a SAML user, you lose the previous native group assignment the next time you log in.
  7. Save your changes.

Results

You can log in to Talend Cloud Data Catalog through your identity provider.