How Login Works with SAML Group Settings Enabled
Authentication by Identity Provider
When an unauthenticated user accesses Cloudera Machine Learning, they are first sent to the identity provider’s login page, where the user can login as usual.
Once successfully authenticated by the identity provider, the user is sent back to Cloudera Machine Learning along with a SAML assertion that includes, amongst other things, a list of the user's attributes.
Authorization Check for Access to Cloudera Machine Learning
Cloudera Machine Learning will attempt to look up the value of the SAML Attribute Identifier for User Role in the SAML assertion and check to see whether that value, which could be one or more group names, exists in the SAML User Groups and SAML Full Administrator Groups whitelists.
If there is a match with a group listed under SAML User Groups, this user will be allowed to access Cloudera Machine Learning as a regular user.
If there is a match with a group listed under SAML Full Administrator Groups, this user will be allowed to access Cloudera Machine Learning as a site administrator.