Configure the SAML2 Identity Provider in SiteMinder - 6.5

Talend Real-Time Big Data Platform Installation Guide for Windows

EnrichVersion
6.5
EnrichProdName
Talend Real-Time Big Data Platform
task
Installation and Upgrade
EnrichPlatform
Talend Activity Monitoring Console
Talend Administration Center
Talend Artifact Repository
Talend CommandLine
Talend Data Preparation
Talend Data Stewardship
Talend DQ Portal
Talend ESB
Talend Identity and Access Management
Talend Installer
Talend JobServer
Talend Log Server
Talend Repository Manager
Talend Runtime
Talend SAP RFC Server
Talend Studio

Before you begin

You have a SiteMinder administrator account and have installed and configured Web Agent and Web Agent OptionPack.

Procedure

  1. Create a User Directory from the SiteMinder Administrative UI.
  2. In the LDAP Settings area, set the email address attribute as the LDAP user DN lookup.
  3. Protect the authentication URL to establish the user sessions as described in the SiteMinder documentation:
    • Select your Web agent (create and configure it as described in the SiteMinder documentation).
    • Select the User Directory created previously.
    • Select a Basic Authentication Scheme (see the SiteMinder documentation for more information).
    • Clear the Persistent check box in the Session section in order not to store session information.
  4. Create a Signing certificate by importing a key/certificate pair (Infrastructure > X509 Certificate Management > Trusted Certificates and Private Keys).
  5. Create a local Identity Provider Entity (Federation > Partnership Federation > Entities):
    • Select Local and SAML2 IDP in the Entity Type step.
    • Select the Unspecified and Email Address check boxes in the Entity configuration step.
  6. Create a Partnership (Federation > Partnership Federation > Partnerships):
    • Select SAML2 IDP and tac in the Configure Partnership step.
    • Select All Users in Directory in the Federation Users step.
    • In the Assertion Configuration step, enter required information and add tac.role and tac.projectType that will match the custom LDAP User attributes (tacRole and projectType in this example). The values of these attributes will later be retrieved when configuring SSO in Talend Administration Center.
    • In the SSO and SLO step, enter the URL of the web service to redirect.jsp in Authentication URL, select urn:oasis:names:tc:SAML:2.0:classes:Password in Authentication Class, select HTTP-Redirect and HTTP-POST bindings, enter the URL to the Talend Administration Center SSO Servlet (http:// <TACapplicationURL>/<TACapplicationName>/ssologin) in the Remote Assertion Consumer Service URLs area. Then leave the other parameters as is and finish the creation process.
  7. Activate the Partnership you created and export its metadata. You will need to upload the metadata later on the Talend Administration Center SSO configuration page.
  8. On your LDAP server, test the SSO login to the Talend Administration Center application:
    • Create a LDAP user with the custom role and project type attributes you want (tacRole= tac_admin,tac_viewer and projectType=DI for example) and check that the user credentials bind is successful.

      Note that:
      • project type values can only be: DI (Data Integration), DQ (Data Quality), MDM (Master Data Management) or NPA (No Project Access).
      • if you want to add several roles for a user, roles should be separated with a comma.
    • Go to the Authentication URL previously defined (http://<host>/affwebservices/public/saml2sso?SPID=<SPEntityName>) and enter the uid/userPassword values to log in Talend Administration Center.

Results

Once your application and users are set in SiteMinder and LDAP, you need to link the Identity Provider to Talend Administration Center in order to retrieve the user information you have defined.

Note that Single-Sign On is only available for Talend Administration Center, but user information of the related applications can be centralized in SiteMinder: Talend allows you to manage your application user roles and user project types, including roles of Talend Administration Center, Talend Data Preparation and Talend Data Stewardship users, outside of Talend Administration Center from the Identity Provider.

For more detailed information, see the article about SiteMinder configuration on Talend Help Center .