Configuring Talend Administration Center SSO with AD FS 3.0

author
Talend Documentation Team
EnrichVersion
7.1
EnrichProdName
Talend Cloud
Talend Big Data
Talend Real-Time Big Data Platform
Talend MDM Platform
Talend Data Integration
Talend Data Fabric
Talend Data Services Platform
Talend Big Data Platform
Talend ESB
Talend Data Management Platform
task
Administration and Monitoring > Managing authorizations
EnrichPlatform
Talend Administration Center

AD FS 3.0 Overview

Configure Active Directory Federation Services (AD FS) 3.0 on Windows Server 2012 R2 to enable secure identity management and single sign-on (SSO) access to Talend Administration Center.

AD FS enables a decentralized identity sharing between business partners by implementing the WS-Federation protocol and standards such as WS-Trust and Security Assertion Markup Language (SAML). AD FS is used to generate assertions for users. These assertions are sent back to Talend Administration Center, where the user settings and roles are assigned based on the AD FS configuration.

For more information on system requirements and getting started with AD FS, refer to the AD FS documentation.

Installing AD FS 3.0

Active Directory Federation Services (AD FS) 3.0 runs on Windows Server 2012 R2.

Before you begin

Talend Administration Center must be configured with HTTPS. For more information, see How to configure a bidirectional secure connection between Talend Studio and Talend Administration Center.

Procedure

  1. Open Server Manager.
  2. Click Manage > Add Roles and Features.
  3. In the Add Roles and Feature Wizard window, configure the installation based on your requirements.
  4. Install Active Directory Federation Services.

Configuring AD FS 3.0

Procedure

  1. In the Server Manager, click Tools > AD FS Management.
  2. Right-click Trust Relationships > Relying Party Trusts, and select Add Relying Party Trust....
  3. Click Start.
  4. Select Enter data about the relying party manually, then click Next.
  5. Enter a display name and click Next.
  6. Select AD FS profile and click Next.
  7. Click Next.
  8. On the Configure URL page, select the Enable support for the SAML 2.0 WebSSO protocol checkbox.
  9. Enter the single sign-on service URL in the Relying party SAML 2.0 SSO Service URL field.
    For example, https://localhost:8080/org.talend.administrator/ssologin.
  10. On the Configure Identifiers page, enter the same service URL as in step 9, then click Add and Next.
  11. Choose whether to configure multi-factor authentication settings.
  12. Leave the Permit all users to access this relying party option selected and click Next.

    You may change the issuance authorization rules later.

  13. Click Next, then Close.

    Leave the Open the Edit Claim Rules dialog for this relying party trust when the wizard closes checkbox selected.

Adding Claim Rules

Procedure

  1. In the Edit Claim Rules for... window, click Add Rule....
  2. Define the attributes to be send to Talend Administration Center via SAML response.
  3. Click OK.

    For an example configuration, see Configuring Custom Roles Claim Rule (Example).

Configuring Custom Roles Claim Rule (Example)

Procedure

  1. In the Add Transform Claim Rule Wizard, select Send Claims Using a Custom Rule from the drop-down list, then click Next.
  2. Enter a Claim rule name, for example, EmailAddress.
  3. Enter the configuration to the Custom rule field.
    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
    => add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"), query = ";mail;{0}", param = c.Value);
  4. Click Finish.
  5. In the Edit Claim Rules for... window, click Add Rule....
  6. Select Send Claims Using a Custom Rule from the drop-down list, then click Next.
  7. Enter a Claim rule name, for example, NameId.
  8. Enter the configuration to the Custom rule field.
    c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
    => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", Value = c.Value);
  9. Click Finish.
  10. In the Edit Claim Rules for... window, click Add Rule....
  11. Select Send Claims Using a Custom Rule from the drop-down list, then click Next.
  12. Enter a Claim rule name, for example, Attributes.
  13. Enter the configuration to the Custom rule field.
    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
    => issue(store = "Active Directory", types = ("firstName", "lastName", "tac.projectType", "tac.role"), query = ";givenName,sn,displayName,department;{0}", param = c.Value);
  14. Click Finish.

Exporting Metadata

Procedure

  1. Open AD FS Management.
  2. Navigate to Service > Endpoints and scroll down to the Metadata section.
  3. Note the path to the FederationMetadata.xml file.
  4. Download the metadata file from your AD FS host, for example, https://<ADFShost>/FederationMetadata/2007-06/FederationMetadata.xml.

Linking Talend Administration Center to an Identity Provider

Logging in to Talend Administration Center via AD FS

Procedure

After the configuration is finished, log in to Talend Administration Center through the AD FS SSO URL.
https://<host>/adfs/ls/idpinitiatedsignon