User authentication

You can secure Edge Flow Manager by integrating with Single Sign-On (SSO) identity providers for login purposes. You can also manage user roles to control access to agent classes and authorized actions. Learn about the properties that you need to configure to enable user authentication within Edge Flow Manager.

Securing Edge Flow Manager requires a reliable authentication mechanism for users. Edge Flow Manager supports the following authentication methods:

SSO integration with an identity provider using SAML 2.0
SSO integration with an identity provider using OpenID Connect (OIDC)
SSO with Apache Knox (using Knox as a gateway is not possible)
Mutual TLS (mTLS) authentication with client certificates
Proxy authentication
LDAP authentication

Integrating with an SSO identity provider using OIDC or SAML is the preferred approach for authenticating users. If OIDC is available, Cloudera recommends it as it is usually the easiest to configure and administer.

For service accounts, such as those that programatically interact with the Edge Flow Manager RESTful API for automation or monitoring purpose, mutual TLS authentication must be used, and can be enabled in addition to another mechanism such as one of the SSO login options.

MiNiFi agents use a different method of authenticating to Edge Flow Manager not controlled by these properties. For more information on MiNiFi agent authentication, see Agent authentication.

You need to set the following properties that are shared by all user authentication methods:

# User Authentication Properties
efm.security.user.auth.enabled=true
efm.security.user.auth.adminIdentities=admin
efm.security.user.auth.autoRegisterNewUsers=true
efm.security.user.auth.authTokenExpiration=12h

Where,

efm.security.user.auth.enabled

Set to true to enable user authentication in Edge Flow Manager. You must also enable a specific method of authentication (oidc|saml|knox|certificate|proxy) when user authentication is enabled.
efm.security.user.auth.adminIdentities

A comma separated list of identities needed for initial admins that can configure other user and group access policies in Edge Flow Manager. For more information on initial admins, see Access control bootstrapping.
If admin identities contain special characters such as a comma (,), then this alternative property key format can be used:
- efm.security.user.auth.adminIdentities[0]=CN=admin1, OU=systems, O=cloudera
- efm.security.user.auth.adminIdentities[1]=CN=admin2, OU=systems, O=cloudera
- ...
- efm.security.user.auth.adminIdentities[n]=CN=adminN, OU=systems, O=cloudera
efm.security.user.auth.autoRegisterNewUsers

With SAML or OIDC, Edge Flow Manager can optionally create user accounts for authenticated users automatically the first time that they log into Edge Flow Manager, rather than users needing to be explicitly created in Edge Flow Manager prior to first login. Set to true to enable this feature.
note
Knox, mTLS, and Proxy authentication methods do not support this feature and ignore this property.
efm.security.user.auth.authTokenExpiration

With SAML, OIDC, or LDAP, Edge Flow Manager issues access tokens once a user is authenticated. This property specifies the duration for which the token is valid.
note
Knox, mTLS, and Proxy authentication methods do not issue access tokens and ignores this property.