Linking Talend Administration Center to an Identity Provider - 7.3

Talend Data Integration Installation Guide for Windows

EnrichVersion
7.3
EnrichProdName
Talend Data Integration
task
Installation and Upgrade
EnrichPlatform
Talend Activity Monitoring Console
Talend Administration Center
Talend Artifact Repository
Talend CommandLine
Talend Data Preparation
Talend Data Stewardship
Talend Identity and Access Management
Talend Installer
Talend JobServer
Talend Log Server
Talend Runtime
Talend Studio

Procedure

  1. Log in to Talend Administration Center.
  2. If SSO has not been enabled yet, select true in the Use SSO Login field.
  3. Click Launch Upload in the IDP metadata field and upload the Identity Provider (IdP) metadata file you have previously downloaded from your Identity Provider system.
  4. In the Service Provider Entity ID field, enter the Entity ID of your Service Provider (available in the configuration of the IdP).
    For example, http://<host>:<port>/org.talend.administrator/ssologin in Okta and ADFS, or <Connection ID> in PingFederate.
  5. Click Launch Upload in the IDP Authentication Plugin field and upload the Identity Provider metadata file you have previously downloaded from the Identity Provider system.

    The jar files provided by Talend are located in the <TomcatPath>/webapps/org.talend.administrator/idp/plugins directory.

    It is possible to rewrite the authentication code if necessary.

    The Identity Provider System field changes automatically depending on your Identity Provider system.

  6. Click Identity Provider Configuration and fill out the required information.
    PingFederate
    • PingFederate SSO URL: https://win-350n8gtg2af:9031/idp/startSSO.ping?PartnerSpld=TAC701
    • Basic Adapter Instance ID: BasicAdapter
    Okta
    • Okta Organization URL: https://dev-515956.oktapreview.com
    • Okta Embedded Url: https://dev-515956.oktapreview.com/home/ talenddev515956_talendadministrationcenter_1/0oacvlcac5j52hFhP0h7/ alncvlmpk1VXbYAGu0h7

    AD FS 2

    • Adfs SSO Url: https://<host>/adfs/ls
    • Adfs Basic Auth Path: auth/basic
    • Adfs SP Entity Id: https://<host>:<port>/org.talend.administrator/ssologin
    AD FS 3
    • Adfs 3 SP Entity Id: https://<host>:<port>/org.talend.administrator/ssologin
    • Adfs 2 SSO Url: https://<host>/adfs/ls
  7. Set the Use Role Mapping field to true to map the application project types and the user roles with those defined in the Identity Provider system.
    Once you have defined project types/roles at the Identity Provider side, you cannot to edit them from Talend Administration Center.
  8. Click Mapping Configuration and fill in the role/project type fields with the corresponding SAML attributes previously set in the Identity Provider system.
    Project type examples:
    • MDM = MDM
    • DI = DI
    • DM = DM
    • NPA = NPA

    Role examples:

    • Talend Administration Center roles
      • Administrator = tac_admin
      • Operation Manager = tac_om

      Setting the Talend Administration Center roles is mandatory.

    • Talend Data Preparation roles
      • Administrator = dp_admin
      • Data Preparator = dp_dp
    • Talend Data Stewardship roles
      • Data Steward = tds_ds

    The project types and roles set in the Identity Provider will override the roles set in Talend Administration Center.

    The project types and roles set in the Identity Provider override the roles set in Talend Administration Center at user login.

    If your organization does not accept custom attributes in the SAML token, either:

    1. Select Show Advanced Configuration in the wizard and, in Path to Value, enter the XPath expression to target the SAML value to map to the corresponding Talend Administration Center object (Project Types, Roles, Email, First Name, Last Name).

      Example: /saml2p:Response/saml2:Assertion/saml2:AttributeStatement/saml2:Attribute[@Name='tac.projectType']/saml2:AttributeValue/text()

    2. Set Use Role Mapping to false.

      In this case, you cannot create users manually, but the user type and the user roles can be edited in Talend Administration Center.

      When users log in for the first time, their type is No Project Access.

    The default login timeout is set to 120 seconds, which you can change by adding the sso.config.clientLoginTimeout parameter with the desired timeout to the <ApplicationPath>/WEB-INF/classes/configuration.properties file.

Results

You are able to log in to Talend Administration Center through your Identity Provider.