Configuring Talend Administration Center SSO with AD FS 3.0/4.0 - 7.3

Version
7.3
Language
English (United States)
Product
Talend Big Data
Talend Big Data Platform
Talend Cloud
Talend Data Fabric
Talend Data Integration
Talend Data Management Platform
Talend Data Services Platform
Talend ESB
Talend MDM Platform
Talend Real-Time Big Data Platform
Module
Talend Administration Center
Content
Administration and Monitoring > Managing authorizations

AD FS 3.0/4.0 Overview

Active Directory Federation Services (AD FS) enables a decentralized identity sharing between business partners by implementing the WS-Federation protocol and standards such as WS-Trust and Security Assertion Markup Language (SAML). AD FS is used to generate assertions for users. These assertions are sent back to Talend Administration Center, where the user settings and roles are assigned based on the AD FS configuration.

You can configure AD FS 3.0 on Windows Server 2012 R2, or AD FS 4.0 on Windows Server 2016 to enable secure identity management and single sign-on (SSO) access to Talend Administration Center.

For more information on system requirements and getting started with AD FS, refer to the AD FS documentation.

Installing and Configuring AD FS 3.0/4.0

AD FS 3.0

Installing AD FS 3.0

AD FS 3.0 runs on Windows Server 2012 R2.

Before you begin

Talend Administration Center must be configured with HTTPS. For more information, see How to configure a bidirectional secure connection between Talend Studio and Talend Administration Center.

Procedure

  1. Open Server Manager.
  2. Click Manage > Add Roles and Features.
  3. In the Add Roles and Feature Wizard window, configure the installation based on your requirements.
  4. Install Active Directory Federation Services.

Configuring AD FS 3.0

Procedure

  1. In the Server Manager, click Tools > AD FS Management.
  2. Right-click Trust Relationships > Relying Party Trusts, and select Add Relying Party Trust....
  3. Click Start.
  4. Select Enter data about the relying party manually, then click Next.
  5. Enter a display name and click Next.
  6. Select AD FS profile and click Next.
  7. Click Next.
  8. On the Configure URL page, select the Enable support for the SAML 2.0 WebSSO protocol check box.
  9. Enter the single sign-on service URL in the Relying party SAML 2.0 SSO Service URL field.
    For example, https://localhost:8080/org.talend.administrator/ssologin https://iam.us.cloud.talend.com/oidc/ssologin.
  10. On the Configure Identifiers page, enter the same service URL as in step 9, then click Add and Next.
  11. Choose whether to configure multi-factor authentication settings.
  12. Leave the Permit all users to access this relying party option selected and click Next.

    You may change the issuance authorization rules later.

  13. Click Next, then Close.

    Leave the following check box selected: Open the Edit Claim Rules dialog for this relying party trust when the wizard closes.

AD FS 4.0

AD FS 4.0 runs on Windows Server 2016.

Configuring Active Directory Domain Services

About this task

Procedure

  1. From the Server Manager > Add Roles and Features, install Active Directory Domain Services.
  2. Go to the notifications displayed on the top-right of the screen and click the link Promote this server to a domain controller to open Active Directory Domain Services Configuration wizard:
    1. Select Add a new forest. Then fill Root domain name field and click Next.
    2. Set the Directory Services Restore Mode password. Then click Next.
    3. Click Next to finish the procedure.

Configuring Active Directory Certification Service

About this task

Procedure

  1. Install Active Directory Certification Service (AD CS):
    1. From the Server Manager, click Add Roles and Features > Active Directory Certificate Services.
    2. From the Server Roles displayed list, select Certification Authority and Certification Authority Web Enrollment check boxes and click Next.
    3. Click Next.
  2. Click Configure Active Directory Certificate Services on the destination server link to configure AD CS:
    1. From Role Services tab, select Certification Authority and Certification Authority Web Enrollment and click Next.
    2. Select Standalone CA and click Next.
    3. Select Use existing private key > Select a certificate and use its associated private key and click Next.
    4. Click Next.
    5. Click Next to finish the procedure.

Exporting and Configuring the Certificate

About this task

Procedure

  1. Request a new certification.
    1. Enable Web ISS manager through the Server Manager > Add a Role or Feature and select Web Server (IIS).
    2. From Windows Explorer, open Internet Information Services (IIS) Manager.
    3. Select the server and double-click Server Certificates.