Before you begin
- As an administrator, you have created and configured the SAML application in Okta.
- As an administrator, you have set up the users and the user attributes of your application in Okta.
- You have been assigned a global role with the Security Administration capability.
Procedure
- Go to MANAGE > Users.
- In the Authentication field of the toolbar, select SAML from the drop-down list.
- Click the Configure authentication icon next to the drop-down list.
-
In the Connection tab, fill in the
required information using the previously saved Identity Provider
metadata.
Field Action Identity Provider Enter the Identity Provider Issuer. X509 Certificate Enter the public X509 certificate of your identity provider. Binding Type Select the manner in which binding is accomplished:- HTTP-Redirect: Talend Cloud Data Catalog
sends a SAML authentication request to the identity provider SSO
service using the HTTP-Redirect Binding.Note: As Talend Cloud Data Catalog does not have the private key of the identity provider, the SAML authentication request sent by Talend Cloud Data Catalog is neither signed nor encrypted. Since the request usually does not contain much private data, there is little need to encrypt the SAML request.
- HTTP-POST: The identity provider returns the
SAML response to a Talend Cloud Data Catalog assertion consumer
service using the HTTP-POST Binding.Note: As Talend Cloud Data Catalog does not have the private key of the identity provider, the SAML assertion received by Talend Cloud Data Catalog can be signed but not encrypted.
To validate the signature, Talend Cloud Data Catalog only needs the identity provider’s public key. The assertion requires to be signed, so that Talend Cloud Data Catalog can verify that the assertion contents have not been altered in transit.
Single Sign On URL Enter the Identity Provider Single-Sign On URL. Signature Element Select one of the values from the drop-down list to specify if the SAML authentication response message and SAML assertion are digitally signed by the identity provider or not.
Talend Cloud Data Catalog will return an error message at the login time if an element is configured as signed but the element in the SAML response was not signed by the identity provider.
If an element is configured as not signed, Talend Cloud Data Catalog will not validate the signature in that element even if it may have been signed by the identity provider.
- HTTP-Redirect: Talend Cloud Data Catalog
sends a SAML authentication request to the identity provider SSO
service using the HTTP-Redirect Binding.
- In the User Attribute Mapping tab, fill in the fields with the corresponding SAML attributes to retrieve the user information you have previously set in Okta.
-
In the Group Mappings tab, map the group
attribute from the external user account to the Talend Cloud Data Catalog group name.
To enable the automatic group assignment, you can fill in the Groups attribute in the Attribute Mapping tab with the corresponding field name in the user account information. Talend Cloud Data Catalog uses the value of this field as the security group assignment.
The user account information is returned from the SAML server to Talend Cloud Data Catalog after the SAML server validates an access token upon a login request.
You can use the wildcard ("%") when configuring the group mappings. The % matches zero or more characters.When populating a SAML attribute for group assignment, you switch from native and manually managed group assignment to SAML driven and automatic group assignment for all SAML users. As a SAML user, you lose the previous native group assignment the next time you log in.When deleting the last SAML attribute for group assignment, you switch from SAML driven group assignment to native group assignment. Any SAML user will be associated with the Guest group, until the users are manually assigned to other groups.
- Save your changes.
- Reopen the browser and try to access Talend Cloud Data Catalog.