Configuring SAML Authentication
Cloudera Data Science Workbench supports the Security Assertion Markup Language (SAML) for Single Sign-on (SSO) authentication; in particular, between an identity provider (IDP) and a service provider (SP).
The SAML specification defines three roles: the principal (typically a user), the IDP, and the SP. In the use case addressed by SAML, the principal (user agent) requests a service from the service provider. The service provider requests and obtains an identity assertion from the IDP. On the basis of this assertion, the SP can make an access control decision—in other words it can decide whether to perform some service for the connected principal.
The primary SAML use case is called web browser single sign-on (SSO). A user with a user agent (usually a web browser) requests a web resource protected by a SAML SP. The SP, wanting to know the identity of the requesting user, issues an authentication request to a SAML IDP through the user agent. In the context of this terminology, Cloudera Data Science Workbench operates as a SP.
Cloudera Data Science Workbench supports both SP- and IDP-initiated
SAML 2.0-based SSO. Its Assertion Consumer Service (ACS)
API endpoint is for consuming assertions received from the Identity
Provider. If your Cloudera Data Science Workbench domain root were
cdsw.company.com
, then this
endpoint would be available at
http://cdsw.company.com/api/v1/saml/acs
.
SAML 2.0 metadata is available at
http://cdsw.company.com/api/v1/saml/metadata
for IDP-initiated SSO. Cloudera Data Science Workbench uses HTTP Redirect Binding for
authentication requests and expects to receive responses from HTTP POST Binding.
- The unique identifier or username. Valid attributes are:
-
uid
-
urn:oid:0.9.2342.19200300.100.1.1
-
- The email address. Valid attributes are:
-
mail
-
email
-
urn:oid:0.9.2342.19200300.100.1.3
-
- The common name or full name of the user. Valid attributes are:
-
cn
-
urn:oid:2.5.4.3
cn
attribute, Cloudera Data Science Workbench will attempt to use the following user attributes, if they exist, as the full name of the user:- The first name of the user. Valid attributes are:
-
givenName
-
urn:oid:2.5.4.42
-
- The last name of the user. Valid attributes are:
-
sn
-
urn:oid:2.5.4.4
-
-