Configuration options

Cloudera AI settings

Entity ID: Required. A globally unique name for Cloudera AI as a Service Provider. This is typically the URI.
NameID Format: Optional. The name identifier format for both Cloudera AI and Identity Provider to communicate with each other regarding a user. Default: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.
Authentication Context: Optional. SAML authentication context classes are URIs that specify authentication methods used in SAML authentication requests and authentication statements. Default: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport.

CDSW Private Key for Signing Authentication Requests: Optional. If you upload a private key, you must upload a corresponding certificate as well so that the Identity Provider can use the certificate to verify the authentication requests sent by Cloudera AI. You can upload the private key used for both signing authentication requests sent to Identity Provider and decrypting assertions received from the Identity Provider.
Cloudera AI Certificate for Signature Validation: Required if the Cloudera AI Private Key is set, otherwise optional. You can upload a certificate in the PEM format for the Identity Provider to verify the authenticity of the authentication requests generated by Cloudera AI. The uploaded certificate is made available at the http://cdsw.company.com/api/v1/saml/metadata endpoint.

Cloudera AI uses the following properties to support SAML assertion encryption & decryption.

Cloudera AI Certificate for Encrypting SAML Assertions - Must be configured on the Identity Provider so that Identity Provider can use it for encrypting SAML assertions for Cloudera AI
Cloudera AI Private Key for Decrypting SAML Assertions - Used to decrypt the encrypted SAML assertions.

Identity Provider SSO URL: Required. The entry point of the Identity Provider in the form of URI.
Identity Provider Signing Certificate: Optional. Administrators can upload the X.509 certificate of the Identity Provider for Cloudera AI to validate the incoming SAML responses.

Cloudera AI extracts the Identity Provider SSO URL and Identity Provider Signing Certificate information from the uploaded Identity Provider Metadata file. Cloudera AI also expects all Identity Provider metadata to be defined in a <md:EntityDescriptor> XML element with the namespace "urn:oasis:names:tc:SAML:2.0:metadata", as defined in the SAMLMeta-xsd schema.

For on-premises deployments, you must provide a certificate and private key, generated and signed with your trusted Certificate Authority, for Cloudera AI to establish secure communication with the Identity Provider.

When you're using SAML 2.0 authentication, you can use the following properties to restrict the access to Cloudera AI to certain groups of users:

SAML Attribute Identifier for User Role: The Object Identifier (OID) of the user attribute that will be provided by your identity provider for identifying a user’s role/affiliation. You can use this field in combination with the following SAML User Groups property to restrict access to Cloudera AI to only members of certain groups.

For example, if your identity provider returns the OrganizationalUnitName user attribute, you would specify the OID of the OrganizationalUnitName, which is urn:oid:2.5.4.11, as the value for this property.
SAML User Groups: A list of groups whose users have access to Cloudera AI. When this property is set, only users that are successfully authenticated AND are affiliated to at least one of the groups listed here, will be able to access Cloudera AI.

For example, if your identity provider returns the OrganizationalUnitName user attribute, add the value of this attribute to the SAML User Groups list to restrict access to Cloudera AI to that group.

If this property is left empty, all users that can successfully authenticate themselves will be able to access Cloudera AI.
SAML Full Administrator Groups: A list of groups whose users are automatically granted the site administrator role on Cloudera AI.

The groups listed under SAML Full Administrator Groups do not need to be listed again under the SAML User Groups property.