Configuring Talend Administration Center SSO with SiteMinder

EnrichVersion
6.4
6.3
EnrichProdName
Talend Big Data
Talend Data Integration
Talend Real-Time Big Data Platform
Talend ESB
Talend Data Services Platform
Talend MDM Platform
Talend Data Fabric
Talend Big Data Platform
Talend Data Management Platform
Talend Integration Cloud
task
Administration and Monitoring > Managing authorizations
EnrichPlatform
Talend Administration Center

CA SiteMinder/Talend Administration Center SSO configuration Overview

This article explains how to configure CA SiteMinder to implement Single-Sign On with Talend Administration Center.

CA SiteMinder Partnership Federation is used to construct a SAML 2.0 identity provider (IdP), in order to generate assertions for users.

These assertions are sent back to Talend Administration Center, where user settings and roles are assigned based on the SiteMinder configuration.
  1. The SSO process is initiated through a hard-coded link (e.g. http://host*/affwebservices/public/saml2sso?SPID=<SPEntityName>).
  2. This link redirects to the authentication page.
  3. If no user sessions exist, the user is redirected to the login page.
  4. When the user inputs valid credentials, there is a redirection to the assertion service (e.g. http://host1/affwebservices/public/saml2sso) and the assertions are generated.
  5. Assertions are formatted to an SAML 2.0 response in an auto-post form.
  6. Talend Administration Center gets SAML response when the form is submitted.
  7. Talend Administration Center retrieves attributes from the SAML 2.0 response, updates user attributes, processes role mapping.
  8. The user can then log in to Talend Administration Center.
1 is the host name or IP address of the server where Web Agent were installed.

Create User Directory Within CA SiteMinder

SiteMinder IdP does not support multiple value attributes. User Role values should be separated by ",".

Procedure

  1. Navigate to Infrastructure > Directory > User Directories.
  2. In the Search results area, click Create User Directory.
  3. Set the User Directory configuration.
  4. Click Submit.

Results

Protect the Authentication URL

Procedure

  1. Create the Agent configuration following the steps in the Web Agent Configuration section from the SiteMinder documentation.
  2. Select the User Directory created in Create User Directory.
  3. Select Basic as Authentication Scheme (default).
  4. Ensure the Persistent Session check box is unselected.

Create Signing Certificate

Procedure

  1. Log to the Administrative UI.
  2. Select Infrastructure > X509 Certificate Management > Trusted Certificates and Private Keys.
  3. Click Import New and follow the wizard.

Create Local IdP Entity

Procedure

  1. Navigate to Federation > Partnership Federation > Entities.
  2. Click Create Identity.
  3. Select the Entity type properties:
    • Entity Location - Local
    • New Entity Type - SAML2 IDP
  4. Click Next.
  5. Define the following properties for the Local IdP Entity:
    • Entity ID - samlIdp
    • Entity Name - samlIdp
    • Base URL - http://<identityProviderIPOrHost>:<port> (IP address of the server where SiteMinder is installed).
  6. Under Default Signature and Encryption Options, select the Signing Private Key Alias that you have created previously.
  7. Under Supported Name ID Formats and Attributes, select the Unspecified and Email Address check boxes.
  8. Click Next to confirm and to finalize the entity creation.

Create Remote SP Entity

Procedure

  1. Navigate to Federation > Partnership Federation > Entities.
  2. Click Create Identity.
  3. Select the Entity type properties:
    • Entity Location - Local
    • New Entity Type - SAML2 SP
  4. Click Next.
  5. Define the following properties for the Remote IdP Entity:
    • Entity ID - TACServiceProvider
    • Entity Name - TACServiceProvider
  6. Under Remote Assertion Consumer Service URLs, define:
    • Binding - HTTP-POST
    • URL - http://<TAC Host Url/IP>:<port>/<TAC>/ssologin (path to the Talend Administration Center SSO Servlet which authenticates users).
  7. Under Supported Name ID Formates and Attributes, select the Unspecified and Email Address check boxes.

Create the Identity Provider / Service Provider Partnership

This procedure involves several steps in SiteMinder. For ease of use, each step is referred to as the Step - Name of the Step.

Procedure

  1. Navigate to Federation > Partnership Federation > Partnerships.
  2. Click Create Partnership ("SAML2 IDP → SP").

Step - Configure partnership

Procedure

  1. Define the following properties:
    • Partnership Name - <PartnershipName>
    • Local IDP - <SMIdPName> (Local Identity Provider created previously)
    • Remote SP - <TACSPName> (Remote Identity Provider created previously)
  2. Promote the user directory you have created from Available Directories to Selected Directories.
  3. Click Next.

Step - Federation Users

Procedure

  1. Ensure User Class is set to All Users In Directory.
  2. Click Next.

Step - Assertion Configuration

Procedure

  1. In the Name ID area, define the following properties:
    • Name ID format - *Email Address (format used by the IdP to send information to the Service Provider)
    • Name ID Type - User Attribute (value from the user attribute)
    • Value - <value> (defines the value attribute, based on the User Directory configuration)
  2. In the Assertion Attributes area, map the fields from the IdP (SAMLResponse) to the Service Provider:
    • Assertion attribute - tac.role
      • Retrieval Method - SSO
      • Format - Basic
      • Type - User Attribute
      • Value - tacRole
    • Assertion attribute - tac.projectType
      • Retrieval Method - SSO
      • Format - Basic
      • Type - User Attribute
      • Value - projectType

Step - SSO and SLO

Procedure

  1. In the Authentication, define the following properties:
    • Authentication Mode - Local
    • Authentication URL - http://<WAHostIP>/affwebservices/redirectjsp/redirect.jsp (URL to the redirect.jsp page on the AFF web service)
    • Configure AuthnContext - Use Predefined Authentication Class
    • Authentication Class - urn:oasis:names:tc:SAML:2.0:classes:Password (Authentication Context Class URL)
  2. In the SSO area, define the following properties:
    • Authentication Request Binding - HTTP-Redirect
    • SSO Binding - HTTP-POST
    • Transaction Allowed - Both IDP and SP initiated
  3. In the Remote Assertion Consumer Service URLs, define the following properties:
    • Index - 0
    • Binding - HTTP-POST
    • URL - http://<TACHost>:<port>/<TACApp>/ssologin (these values are the same as the ones defined from the SP entity configuration).

Step - Signature and Encryption

Procedure

Click Next (leave all default values).

Step - Confirm

Procedure

Verify all settings and click Next.

Activate the Identity Provider / Service provider partnership

Procedure

  1. Under the Actions column, click Action on the row corresponding to the partnership.
  2. Click Activate.

Test SSO login to Talend Administration Center

Procedure

  1. Create a user on your LDAP server.
  2. Define the roles to be referenced in Talend Administration Center (e.g. tac_admin for administrators in Talend Administration Center, dp_dm for dataset managers in Talend Data Preparation) and project type (either DI, DQ, MDM or NPA - No project Access).
  3. Select the user.
  4. Double click the userPassword attribute.
  5. In the Verify Password field within the Password Editor window, input the user password.
  6. Click Bind: a popup window confirms the authentication is successful.
  7. Within your browser, open http://host1/affwebservices/public/saml2sso?SPID=<SPEntityName>.
  8. When prompted for credentials, input user uid/userPassword.
  9. Click Sign In. You are successfully logged into Talend Administration Center.
  10. Check user attributes and roles are set as expected.

Results

From this point, you are able to log onto Talend Administration Center using the SSO settings configured with SiteMinder.

1 is the host name or IP address of the server where Web Agent were installed.

Test SiteMinder SSO configuration

You can test SiteMinder-configured SSO by logging onto Talend Studio / Talend Data Preparation/ Talend Data Stewardship.

Procedure

  1. In the SSO page of Talend Administration Center, define the following properties.
    • Service Provider Entity ID - <SP_Entity_ID>
    • Identity Provider System - SiteMinder
    • SiteMinder SSO Service URL - http://<host>/affwebservices/public/saml2sso?SPID=<SPEntityID>
  2. For each application, ensure the role field values are consistent with the ones set up in your LDAP.

Results

From this point, you are able to log onto Talend Studio / Talend Data Preparation / Talend Data Stewardship with the SSO configuration.