Configuring Talend Administration Center SSO with AD FS 2.0 - 7.1

author
Talend Documentation Team
EnrichVersion
7.1
EnrichProdName
Talend Big Data
Talend Big Data Platform
Talend Cloud
Talend Data Fabric
Talend Data Integration
Talend Data Management Platform
Talend Data Services Platform
Talend ESB
Talend MDM Platform
Talend Real-Time Big Data Platform
task
Administration and Monitoring > Managing authorizations
EnrichPlatform
Talend Administration Center

AD FS 2.0 Overview

Configure Active Directory Federation Services (AD FS) 2.0 on Windows Server 2008 R2 to enable secure identity management and single sign-on (SSO) access to Talend Administration Center.

AD FS enables a decentralized identity sharing between business partners by implementing the WS-Federation protocol and standards such as WS-Trust and Security Assertion Markup Language (SAML). AD FS is used to generate assertions for users. These assertions are sent back to Talend Administration Center, where the user settings and roles are assigned based on the AD FS configuration.

For more information on system requirements and getting started with AD FS, refer to the AD FS documentation.

Installing AD FS 2.0

Active Directory Federation Services (AD FS) 2.0 runs on Windows Server 2008 R2.

Before you begin

Talend Administration Center must be configured with HTTPS. For more information, see How to configure a bidirectional secure connection between Talend Studio and Talend Administration Center.

Procedure

  1. Download the installer file from the Microsoft website.
  2. Run AdfsSetup.exe.
  3. Click Next.
  4. Click I accept the terms in the License Agreement, then Next.
  5. Click Federation server, then Next.
  6. Click Next.
    The installation starts.
  7. Click Finish once the installation process is complete.

Results

ADFS starts automatically if you leave the Start the AD FS 2.0 Management snap-in when this wizard closes checkbox selected.

Configuring AD FS 2.0

Procedure

  1. Click AD FS 2.0 Federation Server Configuration Wizard on the AD FS 2.0 Management overview page.
  2. Click Next.

    Leave the Create a new Federation Service checkbox selected.

  3. Click Stand-alone federation server, then Next.
  4. Select your SSL certificate and the default Federation Service name, then click Next.
    It is recommended to use an SSL certificate signed by a provider, for example, Thawte or Verisign. The certificate should also be public facing, otherwise you may experience issues later.
  5. Click Next.
  6. Click Close.

Adding Relying Party Trust

Procedure

  1. Right-click Trust Relationships > Relying Party Trusts, and select Add Relying Party Trust....
  2. Click Start.
  3. Select Enter data about the relying party manually, then click Next.
  4. Enter a display name and click Next.
  5. Select AD FS 2.0 profile and click Next.
  6. Click Next.
  7. On the Configure URL page, select the Enable support for the SAML 2.0 WebSSO protocol checkbox.
  8. Enter the single sign-on service URL in the Relying party SAML 2.0 SSO Service URL field.
    For example, https://localhost:8080/org.talend.administrator/ssologin.
  9. On the Configure Identifiers page, enter the same service URL as in step 8, then click Add and Next.
  10. Leave the Permit all users to access this relying party option selected and click Next.

    You may change the issuance authorization rules later.

  11. Click Next, then Close.

    Leave the Open the Edit Claim Rules dialog for this relying party trust when the wizard closes checkbox selected.

Results

The Edit Claim Rules for... window opens.

Adding Claim Rules

Procedure

  1. In the Edit Claim Rules for... window, click Add Rule....
  2. Define the attributes to be send to Talend Administration Center via SAML response.
  3. Click OK.

    For an example configuration, see Configuring Custom Roles Claim Rule (Example).

What to do next

After the configuration is finished, confirm that the basic authentication type exists in the \inetpub\adfs\ls\web.config file.

Configuring Custom Roles Claim Rule (Example)

Procedure

  1. In the Add Transform Claim Rule Wizard, select Send Claims Using a Custom Rule from the drop-down list, then click Next.
  2. Enter a Claim rule name, for example, EmailAddress.
  3. Enter the configuration to the Custom rule field.
    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
    => add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"), query = ";mail;{0}", param = c.Value);
  4. Click Finish.
  5. In the Edit Claim Rules for... window, click Add Rule....
  6. Select Send Claims Using a Custom Rule from the drop-down list, then click Next.
  7. Enter a Claim rule name, for example, NameId.
  8. Enter the configuration to the Custom rule field.
    c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
    => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", Value = c.Value);
  9. Click Finish.
  10. In the Edit Claim Rules for... window, click Add Rule....
  11. Select Send Claims Using a Custom Rule from the drop-down list, then click Next.
  12. Enter a Claim rule name, for example, Attributes.
  13. Enter the configuration to the Custom rule field.
    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
    => issue(store = "Active Directory", types = ("firstName", "lastName", "tac.projectType", "tac.role"), query = ";givenName,sn,displayName,department;{0}", param = c.Value);
  14. Click Finish.

Exporting Metadata

Procedure

  1. Open AD FS 2.0 Management.
  2. Navigate to Service > Endpoints and scroll down to the Metadata section.
  3. Note the path to the FederationMetadata.xml file.
  4. Download the metadata file from your AD FS host, for example, https://<ADFShost>/FederationMetadata/2007-06/FederationMetadata.xml.

Linking Talend Administration Center to an Identity Provider