Cloudera Docs

Enabling SSO to a Virtual Warehouse

Learn how to enable SSO (single sign-on) to your Virtual Warehouse from JDBC/ODBC clients. Your authorized clients can connect to the Virtual Warehouse using SSO. Find out how to recognize a connection string to connect to a Virtual Warehouse that is SSO-enabled.

You enable SSO connections to your Virtual Warehouse when you create a Virtual Qarehouse. Authentication occurs through your browser and enterprise identity provider (IdP) provider. Your authorized clients can connect to the Virtual Warehouse using SSO.

When you configure an Impala Virtual Warehouse to use SSO, connections that use the JDBC URL or the ODBC connection string are SSO-enabled connections. Connections to the warehouse using the Impala shell will still use LDAP.

When you configure a Hive Virtual Warehouse to use SSO, all connections that use the JDBC URL are authenticated with the IdP provider that is configured in Management Console.

If you are using ODBC to connect, ODBC connector (driver) documentation explains how to make the ODBC connection.

  • You must configure an IdP in the User Management module of Management Console compliant with Security Assertion Markup Language (SAML 2.0).
  • In Management Console > User Management you must set up a user group, required for enabling SSO, that identifies the users authorized to access to this Virtual Warehouse.
  • You must obtain the DWAdmin role.
  1. Follow instructions for adding a new Virtual Warehouse.
  2. In Size, select the number of executors, for example xsmall-2 Executors.
  3. Optionally, select Enable SSO to enable single sign-on to your Virtual Warehouse, and in User Groups, select a user group set up in advance to access endpoints.
  4. Accept default values for other settings, or change the values to suit your use case, and click CREATE.
    Click the tooltip for information about a setting.
  5. Optionally, find your Virtual Warehouses, click options , and select Copy JDBC URL.
  6. Paste the URL somewhere, and check that a Virtual Warehouse is configured for SSO connections by looking for the auth=browser clause in JDBC URL.
    Hive example:
    jdbc:hive2://hs2-test.env-9qls4k.dw.xcu2-8y8x.dev.cldr.work/default;transportMode=http;httpPath=cliservice;ssl=true;auth=browser;
    Impala example: 
    jdbc:impala://coordinator-test.env-mxxmcn.dw.xcu2-8y8x.dev.cldr.work:443/default;
AuthMech=12;transportMode=http;httpPath=cliservice;ssl=1;auth=browser;
  7. Give users the JDBC JAR and JDBC URL information for connecting to the Virtual Warehouse.
    Users configure an ODBC or JDBC connection to the Virtual Warehouse with a third-party BI tool. A browser window appears with the following success message:

    "Successfully authenticated. You may close this window."

    Users can query tables they are authorized to access.