Migrating users from another preferred identity provider

For additional security, Cloudera on premises treats users with the same username from different identity providers as different users, even if they are actually the same users from the same backend user storage. This is to prevent unintended access to users from different identity providers that happen to share the same username. Therefore, for Cloudera on premises installations that have been using LDAP as the default authentication method, if you want to change your preferred identity provider type to SAML, and the LDAP and SAML identity providers have the same underlying database of users, ensure that you also migrate the affected users.

Required role: Account administrator or PowerUser

note

If you do not migrate your users from the LDAP identity provider to the SAML identity provider, a new user will be created in the Cloudera Management Console (on premises) upon login.

In previous versions (1.5.4), this new user was created with an incremental numeric suffix appended to their workload username (for example, cdpuser_0). In the current behavior (Pre and Post 1.5.4), the new user is created with the same workload username as the original user. This results in duplicate users with identical workload usernames, which can lead to inconsistent states. Therefore, migrating your users from LDAP to SAML is required to avoid duplication and maintain data consistency.

Issues caused by not migrating users:

The new user will not inherit role or group permissions from the previous LDAP user.
When running data services workloads with this user, Ranger policy-based authorization will fail because your LDAP/AD server is not aware of the new suffix.

Ensure you have:

cdp-cli client version 0.9.128 or later
Admin user access key and private key
The old and new identity providers share the same underlying database of users
The same users are configured with identical userId attributes across both identity providers.
If those conditions are not met, then unauthorized access may be granted if a new user shares the same username as an existing user post migration.

Configure SAML Identity Provider. Follow the instructions in Configuring your enterprise IdP to work with Cloudera as a service provider with SAML as your preferred authentication type.
Delete duplicate users. If users have already logged in through SAML and were previously logged in through LDAP, delete the duplicate SAML users:
1. Log in to the CDP Private Cloud Management Console as a local admin using the following URL format: https://[***MANAGEMENT CONSOLE URL***]/authenticate/login/local (Example: https://console-cdp.apps.domain.com/authenticate/login/local).
2. Navigate to User Management > Users.
3. Locate users with a _+numeric suffix, click the three-dot menu on the right, and delete these users.
  note
  Failing to delete these users will cause the migration to fail.
Migrate users using cdp-cli.
1. Download and configure the cdp-cli client (version 0.9.128 or later, include the doc for users to set up cdp-cli: Setting up CDP-CLI ). For information on the cdp-cli official doc, see CDP-CLI User Guide.
2. Run the following command to migrate users from the LDAP identity provider to the SAML identity provider:
```
cdpcli --endpoint-url <Management_Console_URL> iam migrate-users-to-identity-provider --original-provider-name cm-ldap --new-provider-name cm-saml
```
  note
  The output will display the number of users migrated.
note
You do not need to change original-provider-name (cm-ldap) and the new-provider-name (cm-saml) as they are pre-configured. For customers switching from SAML to LDAP, swap the original-provider-name and new-provider-name values in the command.