How Login Works with SAML Group Settings Enabled
With SAML Group settings enabled, the login process in Cloudera Data Science Workbench works as follows.
-
Authentication by Identity Provider
When an unauthenticated user accesses Cloudera Data Science Workbench, they are first sent to the identity provider’s login page, where the user can login as usual.
Once successfully authenticated by the identity provider, the user is sent back to Cloudera Data Science Workbench along with a SAML assertion that includes, amongst other things, a list of the user's attributes.
-
Authorization Check for Access to Cloudera Data Science Workbench
Cloudera Data Science Workbench will attempt to look up the value of the SAML Attribute Identifier for User Role in the SAML assertion and check to see whether that value, which could be one or more group names, exists in the SAML User Groups and SAML Full Administrator Groups whitelists.
If there is a match with a group listed under SAML User Groups, this user will be allowed to access Cloudera Data Science Workbench as a regular user.
If there is a match with a group listed under SAML Full Administrator Groups, this user will be allowed to access Cloudera Data Science Workbench as a site administrator.