User authentication

You can secure Edge Flow Manager (EFM) by integrating with Single Sign-On (SSO) identity providers for login purposes. You can also manage user roles to control access to agent classes and authorized actions. Learn about the properties that you need to configure to enable user authentication within EFM.

Securing EFM requires a reliable authentication mechanism for users. EFM supports the following authentication methods:
  • SSO integration with an identity provider using SAML 2.0
  • SSO integration with an identity provider using OpenID Connect (OIDC)
  • SSO with Apache Knox (using Knox as a gateway is not possible)
  • Mutual TLS (mTLS) authentication with client certificates
  • Proxy authentication
  • LDAP authentication

Integrating with an SSO identity provider using OIDC or SAML is the preferred approach for authenticating users. If OIDC is available, Cloudera recommends it as it is usually the easiest to configure and administer.

For service accounts, such as those that programatically interact with the EFM RESTful API for automation or monitoring purpose, mutual TLS authentication must be used, and can be enabled in addition to another mechanism such as one of the SSO login options.

MiNiFi agents use a different method of authenticating to EFM not controlled by these properties. For more information on MiNiFi agent authentication, see Agent authentication.

You need to set the following properties that are shared by all user authentication methods:
# User Authentication Properties
efm.security.user.auth.enabled=true
efm.security.user.auth.adminIdentities=admin
efm.security.user.auth.autoRegisterNewUsers=true
efm.security.user.auth.authTokenExpiration=12h

Where,

  • efm.security.user.auth.enabled

    Set to true to enable user authentication in EFM. You must also enable a specific method of authentication (oidc|saml|knox|certificate|proxy) when user authentication is enabled.

  • efm.security.user.auth.adminIdentities

    A comma separated list of identities needed for initial admins that can configure other user and group access policies in EFM. For more information on initial admins, see Access control bootstrapping.

    If admin identities contain special characters such as a comma (,), then this alternative property key format can be used:
    • efm.security.user.auth.adminIdentities[0]=CN=admin1, OU=systems, O=cloudera
    • efm.security.user.auth.adminIdentities[1]=CN=admin2, OU=systems, O=cloudera
    • ...
    • efm.security.user.auth.adminIdentities[n]=CN=adminN, OU=systems, O=cloudera
  • efm.security.user.auth.autoRegisterNewUsers

    With SAML or OIDC, EFM can optionally create EFM user accounts for authenticated users automatically the first time that they log into EFM, rather than users needing to be explicitly created in EFM prior to first login. Set to true to enable this feature.
  • efm.security.user.auth.authTokenExpiration

    With SAML, OIDC, or LDAP, EFM issues access tokens once a user is authenticated. This property specifies the duration for which the token is valid.