Configuring Talend Administration Center SSO with PingFederate - 7.2

Version
7.2
Language
English (United States)
Product
Talend Big Data
Talend Big Data Platform
Talend Cloud
Talend Data Fabric
Talend Data Integration
Talend Data Management Platform
Talend Data Services Platform
Talend ESB
Talend MDM Platform
Talend Real-Time Big Data Platform
Module
Talend Administration Center
Content
Administration and Monitoring > Managing authorizations

PingFederate Overview

This document introduces how to configure PingFederate to enable secure outbound and inbound solutions for single sign-on (SSO) to Talend Administration Center.

PingFederate provides browser-based SSO to enable secure identity information exchange across domains. It extends employee, customer, and partner identities without passwords, using only standard identity protocols such as SAML 2.0.

Note that SSO is only supported for Talend Administration Center. Talend Studio itself does not support SSO, although it works by passing credentials through Talend Administration Center. Talend only supports the HTTP Basic and HTML Form adapters. Other adapters are not supported.

For more information on system requirements and getting started with PingFederate, refer to the PingFederate documentation.

Creating Certificates in PingFederate

Before you begin

You must have an administrator PingFederate account configured.

Procedure

  1. Go to the Security tab.
  2. Under Certificate & Key Management, click SSL Server Certificates.
  3. Click Create New.
  4. On the Create Certificate tab, enter the required information and click Next.
    The Common name is the host name.
  5. Verify the information on the Summary tab and make the certificate active, then click Done.

Exporting certificates to Talend Administration Center

About this task

Procedure

  1. On the Certificate Management tab, click Activate for Runtime Server then Activate for Admin Console.
  2. Click Export to download the certificate.
  3. On the Export Certificate tab, select Certificate Only and click Next.
  4. Verify the information on the Export & Summary tab, then click Export.
    Add the certificate to the Talend Administration Center server's Java keystore.
  5. After clicking Done, you are directed back to the Certificate Management tab.
  6. Click Save.

Importing a Certificate for Signing

Procedure

  1. Go to the Security tab.
  2. Under Certificate & Key Management, click SSL Server Certificates.
  3. Click Import.
  4. On the SSL Server Certificates | Import Certificate page, upload your certificate and enter your password, then click Next.
  5. Verify the information on the Summary tab, then click Save.
    You are directed back to the Security page.

Creating a Credential Validator

Procedure

  1. Go to the System tab.
  2. Under External Systems, click Password Credential Validators.
  3. Click Create New Instance.
  4. Fill in the required information on the Type tab, then click Next.

    In the TYPE field, select Simple Username Password Credential Validator.

  5. On the Instance Configuration tab, click Add a new row to 'Users'.
    Fill in the required information, then click Update and Next.
  6. Verify the information on the Summary tab, then click Done.
    You are directed back to the Manage Credential Validator Instances page.
  7. Click Save.

Creating Adapters

Note that Talend only supports the HTTP Basic and HTML Form adapters. Other adapters are not supported.

Procedure

  1. Go to the Identity Provider tab.
  2. Under Application Integration, click Adapters.
  3. Click Create New Instance and create the adapters you need as detailed below.
  4. Click Save.

Creating a HTML Form IdP Adapter

Procedure

  1. Navigate to the Type tab on the Manage IdP Adapter Instance | Create Adapter Instance page.
  2. Fill in the required information (Instance Name and Instance ID) and select the HTML Form IdP Adapter as Type, then click Next.
  3. On the IdP Adapter tab, click Add a new row to 'Credential Validators' and select the validator created in Creating a Credential Validator.
  4. Click Update, then Next.
  5. On the Extended Contract tab, click Next.
  6. On the Adapter Attributes tab, select the Pseudonym value, then click Next.
  7. On the Adapter Contract Mapping tab, click Next.
  8. Verify the information on the Summary tab, then click Done.
    You are directed back to the Manage IdP Adapter Instances page.

Creating a HTTP Basic IdP Adapter

Procedure

  1. Navigate to the Type tab on the Manage IdP Adapter Instance | Create Adapter Instance page.
  2. Fill in the required information (Instance Name and Instance ID) and select the HTTP Basic IdP Adapter as Type, then click Next.
  3. On the IdP Adapter tab, click Add a new row to 'Credential Validators' and select the validator created in Creating a Credential Validator.
  4. Click Update, then Next.
  5. On the Extended Contract tab, click Next.
  6. On the Adapter Attributes tab, select the Pseudonym value, then click Next.
  7. On the Adapter Contract Mapping tab, click Next.
  8. Verify the information on the Summary tab, then click Done.
    You are directed back to the Manage IdP Adapter Instances page. You must create an HTML Form IdP Adapter as well. For instructions, see Creating a HTML Form IdP Adapter.

Creating SP Connections

Procedure

  1. Go to the Identity Provider tab.
  2. Under SP Connections, click Create New.
  3. On the Connection Type tab, leave the default connection template selected and click Next.
  4. On the Connection Options tab, leave the default option and click Next.
  5. On the Import Metadata tab, select None and click Next.
  6. On the General Info tab, fill in the Partner's Entity ID, Connection Name, and Base URL fields, then click Next.
  7. On the Browser SSO tab, click Configure Browser SSO and configure the SSO.
    For instructions, see the dedicated section.
  8. After configuring the browser SSO, click Next.
  9. On the Credentials tab, click Configure Credentials and configure the credentials.
    For instructions, see the dedicated section.
  10. After configuring the credentials SSO, click Next.
  11. On the Activation & Summary tab, select Active in the Connection Status field.
    Take note of the SSO Application Endpoint address.
  12. Verify the rest of the information, then click Save.

Configuring Browser SSO

Procedure

  1. On the SP Connection | Browser SSO page, navigate to the SAML Profiles tab.
  2. Select IDP-INITIATED SSO under Single Sign-On (SSO) Profiles and click Next.
  3. On the Assertion Lifetime tab, leave the default values in the Minutes Before and Minutes After fields and click Next.
  4. On the Assertion Creation tab, click Configure Assertion Creation.
    Configure the assertion as detailed in the dedicated section.
  5. After configuring the assertions, click Next.
  6. On the Protocol Settings tab, click Configure Protocol Settings.
    Configure the protocol as detailed in the dedicated section.
  7. After configuring the protocol settings, click Next.
  8. Verify the information on the Summary tab, then click Done.

Configuring Assertions

Procedure

  1. On the SP Connection | Browser SSO | Assertion Creation page, navigate to the Identity Mapping tab.
  2. Select Standard identity mapping and click Next.
  3. On the Attribute Contract tab, select urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress as the subject name format from the SAML_Subject drop-down list.
  4. Define the attributes for role mapping, then click Next.