Configuring Talend Administration Center SSO with AD FS 2.0 - 7.3

author
Talend Documentation Team
EnrichVersion
7.3
EnrichProdName
Talend Big Data
Talend Big Data Platform
Talend Cloud
Talend Data Fabric
Talend Data Integration
Talend Data Management Platform
Talend Data Services Platform
Talend ESB
Talend MDM Platform
Talend Real-Time Big Data Platform
task
Administration and Monitoring > Managing authorizations
EnrichPlatform
Talend Administration Center

AD FS 2.0 Overview

Configure Active Directory Federation Services (AD FS) 2.0 on Windows Server 2008 R2 to enable secure identity management and single sign-on (SSO) access to Talend Administration Center.

AD FS enables a decentralized identity sharing between business partners by implementing the WS-Federation protocol and standards such as WS-Trust and Security Assertion Markup Language (SAML). AD FS is used to generate assertions for users. These assertions are sent back to Talend Administration Center, where the user settings and roles are assigned based on the AD FS configuration.

For more information on system requirements and getting started with AD FS, refer to the AD FS documentation.

Installing AD FS 2.0

Active Directory Federation Services (AD FS) 2.0 runs on Windows Server 2008 R2.

Before you begin

Talend Administration Center must be configured with HTTPS. For more information, see How to configure a bidirectional secure connection between Talend Studio and Talend Administration Center.

Procedure

  1. Download the installer file from the Microsoft website.
  2. Run AdfsSetup.exe.
  3. Click Next.
  4. Click I accept the terms in the License Agreement, then Next.
  5. Click Federation server, then Next.
  6. Click Next.
    The installation starts.
  7. Click Finish once the installation process is complete.

Results

ADFS starts automatically if you leave the Start the AD FS 2.0 Management snap-in when this wizard closes checkbox selected.

Configuring AD FS 2.0

Procedure

  1. Click AD FS 2.0 Federation Server Configuration Wizard on the AD FS 2.0 Management overview page.
  2. Click Next.

    Leave the Create a new Federation Service checkbox selected.

  3. Click Stand-alone federation server, then Next.
  4. Select your SSL certificate and the default Federation Service name, then click Next.
    It is recommended to use an SSL certificate signed by a provider, for example, Thawte or Verisign. The certificate should also be public facing, otherwise you may experience issues later.
  5. Click Next.
  6. Click Close.

Adding Relying Party Trust

Procedure

  1. Right-click Trust Relationships > Relying Party Trusts, and select Add Relying Party Trust....
  2. Click Start.
  3. Select Enter data about the relying party manually, then click Next.
  4. Enter a display name and click Next.
  5. Select AD FS 2.0 profile and click Next.
  6. Click Next.
  7. On the Configure URL page, select the Enable support for the SAML 2.0 WebSSO protocol checkbox.
  8. Enter the single sign-on service URL in the Relying party SAML 2.0 SSO Service URL field.
    For example, https://localhost:8080/org.talend.administrator/ssologin.
  9. On the Configure Identifiers page, enter the same service URL as in step 8, then click Add and Next.
  10. Leave the Permit all users to access this relying party option selected and click Next.

    You may change the issuance authorization rules later.

  11. Click Next, then Close.

    Leave the Open the Edit Claim Rules dialog for this relying party trust when the wizard closes checkbox selected.

Results

The Edit Claim Rules for... window opens.

Adding Claim Rules

Procedure

  1. In the Edit Claim Rules for... window, click Add Rule....
  2. Define the attributes to be send to Talend Administration Center via SAML response.
  3. Click OK.

    For an example configuration, see Configuring Custom Roles Claim Rule (Example).

What to do next

After the configuration is finished, confirm that the basic authentication type exists in the \inetpub\adfs\ls\web.config file.

Configuring Custom Roles Claim Rule (Example)

Procedure

  1. In the Add Transform Claim Rule Wizard, select Send Claims Using a Custom Rule from the drop-down list, then click Next.
  2. Enter a Claim rule name, for example, EmailAddress.
  3. Enter the configuration to the Custom rule field.
    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
    => add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"), query = ";mail;{0}", param = c.Value);
  4. Click Finish.
  5. In the Edit Claim Rules for... window, click Add Rule....
  6. Select Send Claims Using a Custom Rule from the drop-down list, then click Next.
  7. Enter a Claim rule name, for example, NameId.
  8. Enter the configuration to the Custom rule field.
    c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
    => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", Value = c.Value);
  9. Click Finish.
  10. In the Edit Claim Rules for... window, click Add Rule....
  11. Select Send Claims Using a Custom Rule from the drop-down list, then click Next.
  12. Enter a Claim rule name, for example, Attributes.
  13. Enter the configuration to the Custom rule field.
    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
    => issue(store = "Active Directory", types = ("firstName", "lastName", "tac.projectType", "tac.role"), query = ";givenName,sn,displayName,department;{0}", param = c.Value);
  14. Click Finish.

Exporting Metadata

Procedure

  1. Open AD FS 2.0 Management.
  2. Navigate to Service > Endpoints and scroll down to the Metadata section.
  3. Note the path to the FederationMetadata.xml file.
  4. Download the metadata file from your AD FS host, for example, https://<ADFShost>/FederationMetadata/2007-06/FederationMetadata.xml.

Linking Talend Administration Center to an Identity Provider

Procedure

  1. Log in to Talend Administration Center.
  2. If SSO has not been enabled yet, select true in the Use SSO Login field.
  3. Click Launch Upload in the IDP metadata field and upload the Identity Provider (IdP) metadata file you have previously downloaded from your Identity Provider system.
  4. In the Service Provider Entity ID field, enter the Entity ID of your Service Provider (available in the configuration of the IdP).
    For example, http://<host>:<port>/org.talend.administrator/ssologin in Okta and ADFS, or <Connection ID> in PingFederate.
  5. Click Launch Upload in the IDP Authentication Plugin field and upload the Identity Provider metadata file you have previously downloaded from the Identity Provider system.

    The jar files provided by Talend are located in the <TomcatPath>/webapps/org.talend.administrator/idp/plugins directory.

    It is possible to rewrite the authentication code if necessary.

    The Identity Provider System field changes automatically depending on your Identity Provider system.

  6. Click Identity Provider Configuration and fill out the required information.
    PingFederate
    • PingFederate SSO URL: https://win-350n8gtg2af:9031/idp/startSSO.ping?PartnerSpld=TAC701
    • Basic Adapter Instance ID: BasicAdapter
    Okta
    • Okta Organization URL: https://dev-515956.oktapreview.com
    • Okta Embedded Url: https://dev-515956.oktapreview.com/home/ talenddev515956_talendadministrationcenter_1/0oacvlcac5j52hFhP0h7/ alncvlmpk1VXbYAGu0h7

    AD FS 2

    • Adfs SSO Url: https://<host>/adfs/ls
    • Adfs Basic Auth Path: auth/basic
    • Adfs SP Entity Id: https://<host>:<port>/org.talend.administrator/ssologin
    AD FS 3
    • Adfs 3 SP Entity Id: https://<host>:<port>/org.talend.administrator/ssologin
    • Adfs 2 SSO Url: https://<host>/adfs/ls
  7. Set the Use Role Mapping field to true to map the application project types and the user roles with those defined in the Identity Provider system.
    Once you have defined project types/roles at the Identity Provider side, you cannot to edit them from Talend Administration Center.
  8. Click Mapping Configuration and fill in the role/project type fields with the corresponding SAML attributes previously set in the Identity Provider system.
    Project type examples:
    • MDM = MDM
    • DI = DI
    • DM = DM
    • NPA = NPA

    Role examples:

    • Talend Administration Center roles
      • Administrator = tac_admin
      • Operation Manager = tac_om

      Setting the Talend Administration Center roles is mandatory.

    • Talend Data Preparation roles
      • Administrator = dp_admin
      • Data Preparator = dp_dp
    • Talend Data Stewardship roles
      • Data Steward = tds_ds

    The project types and roles set in the Identity Provider will override the roles set in Talend Administration Center.

    The project types and roles set in the Identity Provider override the roles set in Talend Administration Center at user login.

    If your organization does not accept custom attributes in the SAML token, either:

    1. Select Show Advanced Configuration in the wizard and, in Path to Value, enter the XPath expression to target the SAML value to map to the corresponding Talend Administration Center object (Project Types, Roles, Email, First Name, Last Name).

      Example: /saml2p:Response/saml2:Assertion/saml2:AttributeStatement/saml2:Attribute[@Name='tac.projectType']/saml2:AttributeValue/text()

    2. Set Use Role Mapping to false.

      In this case, you cannot create users manually, but the user type and the user roles can be edited in Talend Administration Center.

      When users log in for the first time, their type is No Project Access.

    The default login timeout is set to 120 seconds, which you can change by adding the sso.config.clientLoginTimeout parameter with the desired timeout to the <ApplicationPath>/WEB-INF/classes/configuration.properties file.

Results

You are able to log in to Talend Administration Center through your Identity Provider.