Enabling SSO - 7.3

Talend Administration Center User Guide

Talend Big Data
Talend Big Data Platform
Talend Data Fabric
Talend Data Integration
Talend Data Management Platform
Talend Data Services Platform
Talend ESB
Talend MDM Platform
Talend Real-Time Big Data Platform
Talend Administration Center
Administration and Monitoring
Last publication date

About this task

You have the possibility to enable unified sign-on and authentication (SSO) to access Talend Administration Center through different Identity Provider systems (IdP) and to manage the roles and project types of the application users via the IdPs.

Note: For more information on IdPs configuration, see SSO guides.


  1. On the Configuration page, expand the SSO node.
  2. If SSO has not been enabled yet, select true in the Use SSO Login field.
    Note: If Personal Access Token is enabled, when SSO is enabled or disabled, all users' Personal Access Token will be reset. For more information, see Setting up the Security Policy.
  3. Click Launch Upload in the IDP metadata field and upload the Identity Provider metadata file you have previously downloaded from the Identity Provider system.
  4. In the Service Provider Entity ID field, enter the Entity ID of your Service Provider (available in the configuration of the IdP), for example, http://localhost:8080/org.talend.administrator/ssologin.
  5. In the IDP Authentication Plugin list, select the Identity Provider from Okta, ADFS, ADFS3, ADFS4,PingFederate, SiteMinder and Custom plugin. If Custom plugin is selected, a Upload IDP Authentication Plugin dialog box will be shown prompting you to upload the custom Identity Provider metadata file. If you have enabled Personal Access Token, you can use the Personal Access Token instead and skip the IDP Authentication Plugin configuration.
    The jar files provided by Talend are located in the <TomcatPath>/webapps/org.talend.administrator/idp/plugins directory.
    Note: If you are using Custom plugin for SSO, you need to modify the <TomcatPath>\conf\server.xml file by changing the value of autodeploy to false in the following code block. Otherwise the custom IDP plugin will be deleted on Tomcat restart.
    <Host name="localhost"  appBase="webapps"
                unpackWARs="true" autoDeploy="true">
  6. Click Identity Provider Configuration and fill out the required information.


    A sample PingFederate configuration:


    A sample Okta configuration:
  7. Set the Use Role Mapping field to true to map the application project types and the user roles with those defined in the Identity Provider system.
    Once you have defined project types/roles at the Identity Provider side, you will not be able to edit them from Talend Administration Center.
    Examples for project types:
    Examples for roles:
    • Talend Administration Center Roles
      • Administrator = tac_admin
      • Operation Manager = tac_om
      Note: Setting the Talend Administration Center roles is mandatory.
    • Talend Data Preparation Roles
      • Administrator = dp_admin
      • Data Preparator = dp_dp
    • Talend Data Stewardship Roles
      • Data Steward = tds_ds
    Role Mappings attributes: in case of a security identifiers list, you need to change the default value for SAML attribute name (tac.role) to tokenGroups.
    If your organization does not accept custom attributes in the SAML token, either:
    • Select Show Advanced Configuration in the wizard and, in Path to Value, enter the XPath expression to target the SAML value to map to the corresponding Talend Administration Center object (Project Types, Roles, Email, First Name, Last Name).

      Example: /saml2p:Response/saml2:Assertion/saml2:AttributeStatement/saml2:Attribute[@Name='tac.projectType']/saml2:AttributeValue/text()

    • Set Use Role Mapping to false.

      In this case, you cannot create users manually, but the user type and the user roles can be edited in Talend Administration Center.

      When users log in for the first time, their type is No Project Access.

    The project types and roles set in the Identity Provider override the roles set in Talend Administration Center at user login.
    The default login timeout is set to 120 seconds, which you can change by adding the parameter sso.config.clientLoginTimeout with the desired timeout in the <ApplicationPath>/WEB-INF/classes/configuration.properties file.
  8. In the Redirect URL on Logout field, enter the the URL of IDP you want to redirect browser to on logout from Talend Administration Center.
    If this field is empty, you will be redirected to the default location of Talend Administration Center on logout.