Configuring Azure Active Directory identity federation in CDP
You can onboard users by configuring Azure Active Directory (Azure AD) identity federation with CDP.
Log in to CDP web interface and navigate to Management Console > User Management > select the Identity Providers tab.
Download the CDP
https://cdp.cloudera.com/iam/downloads/saml-metadata.xml) onto your computer. You will need it later.
Open another web browser window, navigate to
https://portal.azure.com/, and log in to your Azure Portal.
On your Azure Portal, navigate to the Azure Active Directory.
Select the Enterprise applications service.
Click on the +New application button.
Select the Non-gallery application.
Give the application a name, for example. CDP_id_federation.
Click on the +Add button.
Once the application is added, go to 2. Set up single sign on .
Upload the metadata XML file that you saved in the earlier step.
Federation Metadata xmlfor your Azure AD application and save it on your computer.
Switch back to CDP web interface > Management Console browser window. Click on User Management > Identity Provider on that page to create an identity provider.
Name your identity Provider in CDP, for example MyCompany_AAD, and upload the metadata XMLfile that you saved previously.
Click on MyCompany_AAD on CDP console and copy the Single Sign On URL. You will need it later.
Switch back to Azure AD Azure Portal browser window.
Edit 1.Basic SAML Configuration:
- Make sure the value for Identifier (Entity ID) is populated like “urn:cloudera:altus”. If you are federating multiple ID providers, each Identifier (Entity ID) will need to be unique.
- Paste the value from the Single Sign On URL you copied earlier into the line Reply URL (Assertion Consumer Service URL).
- Edit 2.User Attributes & Claims:
- If the customer is using on-prem Active Directory and Active Directory Connect to sync with Azure AD, you will be able to import Azure AD groups into CDP. Click +Add a group claim.
- On the Group Claims blade, do the following:
- Select Security groups or Groups assigned to the application.
- Select Source Attribute sAMAccountName.
- Check the Customize the name of the group claim.
- Enter “groups” in Name (Required).
- Namespace enter
- Click Save.
- For the rest of the claims, follow the instructions at Configuring your enterprise IdP to work with CDP.
Name Namespace Source Source Attribute firstName https://cdp.cloudera.com/SAML/Attributes Attribute user.givenname lastName https://cdp.cloudera.com/SAML/Attributes Attribute user.surname Attribute user.mail
- Click on the SAML-based Sign-On on the top.
Test this application.
Once these steps are completed, a CDP user will login with their integrated Azure AD identity through their Office 365 applications page (Office.com). A new tile will appear for the CDP application created above.
Once a user signs in, the User and Groups will show up on the CDP Management Console’s User Management screen.
- Assign users to groups within your Azure AD that you will map to roles in CDP.
- Assign CDP roles to either the new users or the groups as appropriate.