Setting up the identity provider in Cloudera

In Cloudera, you must create an identity provider to capture the SAML metadata and connection information for your enterprise IdP. To create an identity provider in Cloudera, you must be a Cloudera account administrator or have the PowerUser role.

Required role: Account administrator or PowerUser

Sign in to the Cloudera console.
From the Cloudera home page, click Cloudera Management Console.
In the Cloudera Management Console home page, navigate to Administration and select the Authentication tab.
Configure the following settings for SAML:
- Cloudera on premises requires the SAML assertions to be signed by the Identity Provider.
- In IDP Metadata, select File Upload to upload a file that contains the identity provider SAML metadata or select Direct Input to paste the identity provider SAML metadata directly.
- To synchronize the groups, select the Sync Groups on Login option.
If your LDAP is not configured, please ensure you fill in your LDAP configurations as they are required by Cloudera Data Services on premises for workload authorization.
Click Update Authentication Settings. If the signing and encryption/decryption configurations are set, the input fields will show a Sensitive value set message.
To set up SAML as the preferred identity provider, go to the Preferred Authentication Type section, select SAML and click Save. If you are switching your preferred authentication type from LDAP to SAML OR SAML to LDAP, ensure you migrate your users. For more information see, Migrating users from another preferred identity provider

note
If SAML configuration is incorrect, customers can still log in as a local admin using the following URL format: https://[***MANAGEMENT CONSOLE URL***]/authenticate/login/local (Example: https://console-cdp.apps.domain.com/authenticate/login/local). This allows them to modify SAML settings as needed.

Once you update your authentication settings, the Authentication Page will have your new identity provider (IdP) information. It will reflect your previously saved configurations and also provide the Cloudera SAML Service Provider Metadata with the updated signing and encryption-decryption configurations. This will be used to configure your IdP.

These are the properties for your SAML identity provider:


Property	Description
SAML Identity Provider Metadata	The identity provider SAML metadata for your enterprise IdP that you provided when you created the Cloudera identity provider.
Sync Groups on Login	Indicates whether Cloudera synchronizes a user's group membership in Cloudera with the user's group membership in your enterprise IdP when a user logs in. For more information about user group synchronization, see Group Membership Synchronization.
Generate workload username by email	You can optionally check this if you want the workload username to be generated based on the email instead of the default.
Cloudera SAML Service Provider Metadata	The Cloudera SAML service provider metadata to configure your enterprise IdP.