Configuring the SAML server - Cloud

Talend Cloud Data Catalog Administration Guide
Version
Cloud
Language
English
Product
Talend Cloud
Module
Talend Data Catalog
Content
Administration and Monitoring
Data Governance
Last publication date
2024-01-17
AWS

Configure the SAML server to enable the external authentication server using the SAML 2.0 protocol.

Before you begin

  • As an administrator, you have configured the Talend Cloud Data Catalog application in your identity provider system.
  • As an administrator, you have set up the users and the user attributes of your application in your identity provider system.
  • You have been assigned a global role with the Security Administration capability.

Procedure

  1. Go to MANAGE > Users.
  2. In the Authentication field of the toolbar, select SAML from the drop-down list.
  3. Click the Configure authentication icon next to the drop-down list.

    Talend Cloud Data Catalog does not use any Azure AD API to read the group assignments. All information about the user is extracted from the standard SAML response from AD FS, an IdP sits on top of the AD. If the user has created an attribute mapping for the Groups attribute and mapped group mappings from the external groups to the local groups, the external user will be automatically assigned a local group upon login.

  4. In the Connection tab, fill in the required information to link Talend Cloud Data Catalog to your identity provider.
    Field Action
    Identity Provider Entity ID Enter the URL for your IdP server.
    Service Provider Entity ID

    Enter the host name of the service provider. If the Talend Cloud Data Catalog application server is behind a load balancer or proxy server, this should be the host name of the load balancer or proxy server. This host name is used as the issuer in the SAML requests generated by the Talend Cloud Data Catalog application server. Configure the application ID and audience restriction in the IdP server accordingly.
    Identity Provider X509 Certificate Enter the public X509 certificate of your identity provider which allows Talend Cloud Data Catalog to verify the signatures and establish trust in the exchanged messages.
    Binding Type
    Select the manner in which binding is accomplished:
    • HTTP-Redirect:

      Talend Cloud Data Catalog sends a SAML authentication request to the identity provider SSO service using the HTTP-Redirect Binding.

      Note: As Talend Cloud Data Catalog does not have the private key of the identity provider, the SAML authentication request sent by Talend Cloud Data Catalog can be signed but not encrypted. Talend Cloud Data Catalog uses the private key and X509 certificate of the service provider to sign the SAML authentication request.
    • HTTP-POST:

      The identity provider returns the SAML response to a Talend Cloud Data Catalog assertion consumer service using the HTTP-POST Binding.

      Note: As Talend Cloud Data Catalog does not have the private key of the identity provider, the SAML assertion received by Talend Cloud Data Catalog can be signed but not encrypted.

      To validate the signature, Talend Cloud Data Catalog only needs the identity provider’s public key. The assertion requires to be signed, so that Talend Cloud Data Catalog can verify that the assertion contents have not been altered in transit.
    Single Sign On URL

    Enter the Single-Sign On URL.
    Assertion Consumer Service URL

    SAML protocol binding to be used when returning the SAML response from the IdP server if a proxy server or loader balancer is used on the SP side. This is used as the recipient or destination URL of the SAML responses. If the Talend Cloud Data Catalog application server is behind a load balancer or proxy server, the protocol, host name, and port in the URL should match those of the load balancer or proxy server.
    Service Provider Private Key

    The private key of the service provider.

    Service Provider X509 Certificate

    The public X509 certificate of the service provider.

    If both the service provider’s private key and X509 certificate are specified, the SAML authentication requests will be signed by the application server service provider.
    SAML Response Signature Element

    Select one of the values from the drop-down list to specify if the SAML authentication response message and SAML assertion are digitally signed by the identity provider or not.

    Talend Data Catalog will return an error message at the login time if an element is configured as signed but the element in the SAML response was not signed by the identity provider.

    If an element is configured as not signed, Talend Data Catalog will not validate the signature in that element even if it may have been signed by the identity provider.

    The Import IDP metadata option allows the application server to read the identity provider’s SAML metadata file which is an XML document that contains information necessary for interaction with the Identity Provider. This document contains the URLs of endpoints, information about supported bindings, identifiers and public keys. After parsing the SAML metadata file, the application server will automatically fill in the other fields from the values specified in the SAML metadata file. You still need to configure the Attribute Mappings and Group Mappings to complete the SAML server configuration.

    The Export SP metadata option allows you to export the SAML Server Provider metadata. The application server SP uses the protocol (http or https), server name and the port number that the browser uses to generate the endpoint URLs in the metadata. You may need to customize the SP auto-generated metadata file if it does not work.

  5. In the Attribute Mappings tab, map the attributes from the external user account to the Talend Cloud Data Catalog user attributes, such as Login, Full Name, Email or Groups.
  6. In the Group Mappings tab, click Add Assignment to map the group attribute from the external user account to the Talend Cloud Data Catalog group name.
    To enable the automatic group assignment, you can fill in the Groups attribute with the corresponding field name in the user account information. Talend Cloud Data Catalog uses the value of this field as the security group assignment.
    The user account information is returned from the SAML server to Talend Data Catalog after the SAML server validates an access token upon a login request.
    You can use the wildcard ("%") when configuring the group mappings. The % matches zero or more characters.
    When populating a SAML attribute for group assignment, you switch from native and manually managed group assignment to SAML driven and automatic group assignment for all SAML users. As a SAML user, you lose the previous native group assignment the next time you log in.

    When deleting the last SAML attribute for group assignment, you switch from SAML driven group assignment to native group assignment. Any SAML user will be associated with the Guest group, until the users are manually assigned to other groups.

  7. Save your changes.

Results

You can log in to Talend Cloud Data Catalog through your identity provider.