Configuring SAML external authentication - 7.3

Talend Data Catalog Administration Guide

author
Talend Documentation Team
EnrichVersion
7.3
EnrichProdName
Talend Big Data Platform
Talend Data Fabric
Talend Data Management Platform
Talend Data Services Platform
Talend MDM Platform
Talend Real-Time Big Data Platform
task
Administration and Monitoring
Data Governance
EnrichPlatform
Talend Data Catalog

SAML (Security Assertion Markup Language) is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP).

SAML requesters and responders communicate by exchanging messages. The mechanism to transport these messages is called a SAML binding. Talend Data Catalog supports HTTP redirect and HTTP POST SAML bindings.

As an administrator, you can always login using the administrator rescue login URL: http://<host>:<port>/MM/Auth?nativeLogin, where <port> is the HTTP port that Talend Data Catalog responds to.

Here is an example of the SAML authentication workflow, where Talend Data Catalog is the service provider:
  1. You try to login to Talend Data Catalog using a browser.
  2. Talend Data Catalog generates a SAML authentication request, signs and sends it directly to the identity provider using the HTTP-Redirect binding.
  3. Talend Data Catalog redirects the browser to the identity provider for authentication.
  4. The identity provider verifies the received SAML authentication request and if valid, presents a login page to enter your username and password.
  5. The identity provider generates a SAML Assertion (also known as a SAML Token) once you have successfully logged in. It sends it directly to a Talend Data Catalog assertion consumer service, such as Talend Data Catalog Authentication Servlet, using the HTTP-POST Binding.

  6. The identity provider redirects you back to Talend Data Catalog once the assertion is successfully parsed and validated.
  7. Talend Data Catalog verifies the SAML assertion, extracts your identity from it, assigns the correct permissions and logs you in to the service.