In Cloudera, you must create an identity provider to
capture the SAML metadata and connection information for your enterprise IdP. To create an
identity provider in Cloudera, you must be a Cloudera account administrator or have the PowerUser
role.
Required role: Account administrator or PowerUser
Sign in to the Cloudera console.
From the Cloudera home page, click Cloudera Management Console.
In the Cloudera Management Console home page, navigate to
Administration and select the
Authentication tab.
Configure the following settings for SAML:
Cloudera on premises requires the SAML assertions to be
signed by the Identity Provider.
In IDP Metadata, select File Upload to
upload a file that contains the identity provider SAML metadata or select
Direct Input to paste the identity provider SAML metadata
directly.
To synchronize the groups, select the Sync Groups on Login
option.
Follow below steps for Signing of SAML assertion configurations.
Setting configurations for signing and verificaton of SAML
AuthnRequests are:
Private key for signing SAML AuthnRequest:
This is a private key that Cloudera on premises uses to sign
AuthnRequest. It is optional. If you set the signing key then
you must set the corresponding “current” certificate for signature verification.
The Private key must be in PEM format. You can set the key by directly pasting PEM
through Direct Input or by uploading PEM file through
File Upload.
Current certificate for signature verification:
The certificate used by identity provider to verify the authenticity of
the signed AuthnRequests generated by Cloudera on premises. It must be set when the Private
key for signing is set, otherwise optional. It must be in PEM format. You can set
the certificate by directly pasting PEM through Direct
Input or by uploading PEM file through File
Upload. This certificate is made available through
Cloudera SAML Service Provider Metadata. You must upload
the latest Service Provider metadata to your Identity Provider, so that Identity
Provider can use this certificate to verify signed AuthnRequests
generated by Cloudera on premises.
Next certificate for signature verification:
It is used during the
key/certificate rotation. It is optional. It must be in PEM format. You can set
the certificate by directly pasting PEM through Direct
Input or by uploading PEM file through File
Upload.
Once these configurations are saved, the "current" and “next” signature
verification certificates can be accessed through the Cloudera SAML Service
Provider Metadata XML, which will be available after saving the
Authentication settings.
These signing configurations can also be configured through the CDP CLI
command:
cdp iam set-saml-authn-request-signing-key --saml-provider
--authn-request-signing-key <pem-value>
--current-authn-request-verification-certificate <pem-value>
--next-authn-request-verification-certificate <pem-value>
Encryption and decryption of SAML assertion configurations are:
Current Private key for decrypting SAML assertions: This is a private key
that Cloudera on premises uses to decrypt encrypted SAML
assertions and response. It is optional. If you set a decryption key then you must
set the corresponding encryption certificate as well. The key must be in PEM format.
You can set the decryption key by directly pasting PEM through Direct
Input or by uploading PEM file through File
Upload.
Next private key for decrypting SAML assertions:
It is used during the key/certificate rotation. It is optional. It must
be in PEM format. You can set the key by directly pasting PEM through
Direct Input or by uploading PEM file through
File Upload.
Certificate for encrypting SAML responses:
The certificate used by identity
provider to encrypt the SAML assertion sent to Cloudera on premises. It must be set when the “current”
decryption key is set, otherwise optional. It must be in PEM format. You can set the
certificate by directly pasting PEM through Direct Input or
by uploading PEM file through File Upload. This certificate
is made available through Cloudera SAML Service Provider
Metadata after these configurations are saved.
Encryption and decryption configurations can also be set through CDP CLI
command:
cdp iam set-saml-response-decryption-key --saml-provider
--saml-response-encryption-certificate <pem-value>
--current-saml-response-decryption-key <pem-value>
--next-saml-response-decryption-key <pem-value>
If your LDAP is not configured, please ensure you fill in your LDAP configurations as
they are required by Cloudera Data Services on premises for workload
authorization.
Click Update Authentication Settings. If the signing and
encryption/decryption configurations are set, the input fields will show a
Sensitive value set message.
To set up SAML as the preferred identity provider, go to the Preferred
Authentication Type section, select SAML and click
Save. If you are switching your preferred authentication type
from LDAP to SAML OR SAML to LDAP, ensure you migrate your users. For more information
see, Migrating users from another preferred identity provider
Once you update your authentication settings, the
Authentication Page will have your new identity provider (IdP)
information. It will reflect your previously saved configurations and also provide the
Cloudera SAML Service Provider Metadata with the updated signing
and encryption-decryption configurations. This will be used to configure your IdP.
These are the properties for your SAML identity provider:
Property
Description
SAML Identity Provider Metadata
The identity provider SAML metadata for your enterprise IdP that you provided
when you created the Cloudera identity
provider.
Sync Groups on Login
Indicates whether Cloudera synchronizes a
user's group membership in Cloudera with the user's
group membership in your enterprise IdP when a user logs in.
For more information
about user group synchronization, see Group Membership
Synchronization.
Generate workload username by email
You can optionally check this if you want the workload username to be generated
based on the email instead of the default.
Cloudera SAML Service Provider Metadata
The Cloudera SAML service provider metadata to
configure your enterprise IdP.
