User authentication

You can now secure Edge Flow Manager (EFM) by integrating with Single Sign On (SSO) identity providers for login and assign roles to users to control access to agent classes and authorized actions. Learn about the properties that you need to set for users to authenticate to EFM.

When EFM is secured, users must have a method to authenticate to EFM. EFM supports the following methods of authentication:
  • SSO integration with an identity provider using SAML 2.0
  • SSO integration with an identity provider using OpenID Connect (OIDC)
  • SSO with Apache Knox (using Knox as a gateway is not possible)
  • Mutual TLS (mTLS) authentication with client certificates
  • Proxy authentication

Integrating with an SSO identity provider using OIDC or SAML is the preferred approach for authenticating users. If OIDC is available, Cloudera recommends it as it is usually the easiest to configure and administer.

For service accounts, such as those that programatically interact with the EFM RESTful API for automation or monitoring purpose, mutual TLS authentication must be used, and can be enabled in addition to another mechanism such as one of the SSO login options.

MiNiFi agents use a different method of authenticating to EFM not controlled by these properties. For more information on MiNiFi agent authentication, see Agent authentication.

You need to set the following properties that are shared by all user authentication methods:
# User Authentication Properties
efm.security.user.auth.enabled=true
efm.security.user.auth.adminIdentities=admin
efm.security.user.auth.autoRegisterNewUsers=true
efm.security.user.auth.authTokenExpiration=12h

Where,

  • efm.security.user.auth.enabled

    Set to true to enable user authentication in EFM. You must also enable a specific method of authentication (oidc|saml|knox|certificate|proxy) when user authentication is enabled.

  • efm.security.user.auth.adminIdentities

    A comma separated list of identities needed for initial admins that can configure other user and group access policies in EFM. For more information on initial admins, see Access control bootstrapping.

    If admin identities contain special characters such as a comma (,), then this alternative property key format can be used:
    • efm.security.user.auth.adminIdentities[0]=CN=admin1, OU=systems, O=cloudera
    • efm.security.user.auth.adminIdentities[1]=CN=admin2, OU=systems, O=cloudera
    • ...
    • efm.security.user.auth.adminIdentities[n]=CN=adminN, OU=systems, O=cloudera
  • efm.security.user.auth.autoRegisterNewUsers

    With SAML or OIDC, EFM can optionally create EFM user accounts for authenticated users automatically the first time that they log into EFM, rather than users needing to be explicitly created in EFM prior to first login. Set to true to enable this feature.
  • efm.security.user.auth.authTokenExpiration

    With SAML or OIDC, EFM issues access tokens once a user is authenticated through SSO. This property specifies the duration for which the token is valid.