Prepare Files
- A Java keystore containing a private key for Cloudera Manager to use to sign/encrypt SAML messages.
- The SAML metadata XML file from your IDP. This file must contain the public certificates needed to verify the sign/encrypt key used by your IDP per the SAML Metadata Interoperability Profile. For example, if you are using the Shibboleth IdP, the metadata file is available at: https://<IdPHOST>:8080/idp/shibboleth.
- The entity ID that should be used to identify the Cloudera Manager instance
- How the user ID is passed in the SAML authentication response:
- As an attribute. If so, what identifier is used.
- As the NameID.
- The method by which the Cloudera Manager role will be established:
- From an attribute in the authentication response:
- What identifier will be used for the attribute
- What values will be passed to indicate each role
- From an external script that will be called for each use:
- The script takes user ID as $1
- The script sets an exit code to reflect successful authentication. Valid values for the exit codes are between 0 and 127. These values are used in Cloudera Manager to map authenticated users to user roles within Cloudera Manager.
- From an attribute in the authentication response:
Configure Cloudera Manager
After you configure authentication for Cloudera Manager, configure authorization for the authenticated users. This is done by mapping the authenticated users to Cloudera Manager user roles.