Configuring Azure AD Single Sign-On - Cloud

Talend Cloud Single Sign-On (SSO) Configuration Guide
Version
Cloud
Language
English
Product
Talend Cloud
Module
Talend Management Console
Content
Administration and Monitoring > Managing users
Last publication date
2024-03-05

Procedure

  1. Go to the All applications view of Azure Active Directory on the Azure portal and select the application created earlier for Talend Management Console.
  2. Select Single sign-on.
    Single sign-on option.
  3. On the Select a single sign-on method dialog box, select SAML.
    Select a single sign-on method dialog box.
  4. On the Set up Single Sign-On with SAML page, click the Edit icon in the Basic SAML Configuration section.
    Set up Single Sign-On with SAML page.
  5. Specify an Identifier and the Reply URL in the Basic SAML Configuration section and next to the Identifier check box, select the default check box to set Talend Cloud SSO URL as the default value.
    • Identifier (Entity ID): Talend Cloud SSO URL. For example:
      • AWS: https://iam.us.cloud.talend.com/oidc/ssologin
      • Azure: https://iam.us-west.cloud.talend.com/oidc/ssologin
      This identifier must be unique in your organization.
      When setting up SSO for multiple accounts (multiple tenants) on Talend Management Console, use their account IDs to define the unique entity ID of each account. For example, the entity ID for the AWS US region becomes https://iam.us.cloud.talend.com/oidc/ssologin/<your_account_ID>. Remember to perform the SSO setup individually for each tenant using their respective account IDs. This federates these tenants into a single SSO authentication system.
      Note: The account federation mentioned is exclusive to SSO authentication. The Talend Management Console objects, such as environments and workspaces, remain specific to each tenant and cannot be shared across tenancies.

      You can find the account ID on the Subscription page of your Talend Management Console.

    • Reply URL: Talend Cloud SSO URL. For example:
      • AWS: https://iam.us.cloud.talend.com/oidc/ssologin
      • Azure: https://iam.us-west.cloud.talend.com/oidc/ssologin

    Do not set the other parameters.

  6. Click Save.
  7. Edit the User Attributes & Claims to include the attributes required in Talend Management Console.
    The User Attributes & Claims section contains the givenname, surname, emailaddress, TalendCloudDomainName, and Unique User Identifier attributes and their values.

    Talend Management Console requires the following attributes:

    • emailaddress: enter user.mail
    • givenname: enter user.givenname
    • surname: enter user.surname
    • TalendCloudDomainName, enter your domain name within double quotation marks, for example, "eval12345.talend.com". The value of the TalendCloudDomainName attribute is your Talend Cloud domain name:
      • If you already logged in Talend Cloud, find the domain name in the Domain field of the Subscription page of your Talend Management Console.
      • Otherwise, three options are available for you to find your domain. For more details, see Find domains.
    • middlename: enter user.middlename
    If you need to set up SCIM provisioning to synchronize users, groups, and roles between your SSO provider and Talend Cloud, you must define the CustomerRoles attribute and in its value, separate roles with commas, for example, Developer,Administrator.
    User Attributes & Claims page.
    Note: By default, claim names are displayed with a namespace URI, but they must be empty for emailaddress, givenname and surname fields.

    Click on each claim separately and clear the Namespace field:

    Manage claim view where you can empty the namespace field.
  8. On the Set up Single Sign-On with SAML page, go to the SAML Signing Certificate section and download the Federation Metadata XML file.
    SAML Signing Certificate section.

    The downloaded metadata.xml file must specify a NameIDFormat. If this is not the case, add the following line in the <IDPSSODescriptor> area in this file: <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>

  9. Copy the URL in the Login URL field.
    This URL will have to be provided in Talend Management Console to enable SSO.
    Set up section.

What to do next

Before being able to validate the configured application, you need to enable SSO from Talend Management Console using the URL you copied and the downloaded metadata file.