Configuring Azure AD Single Sign-On - Cloud

Talend Cloud Single Sign-On (SSO) Configuration Guide
Version
Cloud
Language
English
Product
Talend Cloud
Module
Talend Management Console
Content
Administration and Monitoring > Managing users

Procedure

  1. Go to the All applications view of Azure Active Directory on the Azure portal and select the application created earlier for Talend Cloud Management Console.
  2. Select Single sign-on.
  3. On the Select a single sign-on method dialog, select SAML.
  4. On the Set up Single Sign-On with SAML page, click the Edit icon in the Basic SAML Configuration section.
  5. Specify an Identifier and the Reply URL in the Basic SAML Configuration section and next to the Identifier check box, select the default check box to set Talend Cloud SSO URL as the default value.
    • Identifier (Entity ID): Talend Cloud SSO URL. For example:
      • AWS: https://iam.us.cloud.talend.com/oidc/ssologin
      • Azure: https://iam.us-west.cloud.talend.com/oidc/ssologin
      This identifier must be unique in your organization.

      When you need to set up SSO for multiple accounts (multiple tenants) on Talend Cloud Management Console, use their account IDs to define the unique entity ID of each account. For example, the entity ID for the AWS US region above becomes https://iam.us.cloud.talend.com/oidc/ssologin/<your_account_ID>.

      You can find the account ID on the Subscription page of your Talend Management Console.

    • Reply URL: Talend Cloud SSO URL. For example:
      • AWS: https://iam.us.cloud.talend.com/oidc/ssologin
      • Azure: https://iam.us-west.cloud.talend.com/oidc/ssologin

    Do not set the other parameters.

  6. Click Save.
  7. Edit the User Attributes & Claims to include the attributes required in Talend Cloud Management Console.

    Talend Cloud Management Console requires the following attributes:

    • emailaddress: enter user.mail
    • givenname: enter user.givenname
    • surname: enter user.surname
    • TalendCloudDomainName, enter mydomain.talend.com within double qotation marks, for example, "eval12345.talend.com". The value of the TalendCloudDomainName attribute is your Talend Cloud account name:
      • If you already logged in Talend Cloud, find the account name in the Domain field of the Subscription page of your Talend Management Console.
      • Otherwise, three options are available for you to find your domain. For more details, see Find domains.
    • middlename: enter user.middlename

    If you need to set up SCIM provisioning to synchronize users, groups, and roles between your SSO provider and Talend Cloud, you must define the CustomerRoles attribute and in its value, separate roles with commas, for example, Developer,Administrator. For a step-by-step demonstration about how to set up SCIM provisioning, see this example.

    Note: By default, claim names are displayed with a namespace URI, but they must be empty for emailaddress, givenname and surname fields.

    Click on each claim separately and clear the Namespace field:

  8. On the Set up Single Sign-On with SAML page, go to the SAML Signing Certificate section and download the Federation Metadata XML file.

    The downloaded metadata.xml file must specify a NameIDFormat. If this is not the case, add the following line in the <IDPSSODescriptor> area in this file: <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>

  9. Copy the URL in the Login URL field.
    This URL will have to be provided in Talend Cloud Management Console to enable SSO.

What to do next

Before being able to validate the configured application, you need to enable SSO from Talend Cloud Management Console using the URL you copied and the downloaded metadata file.