Configuring Azure Active Directory identity federation in Cloudera

You can onboard users by configuring Azure Active Directory (Azure AD) identity federation with Cloudera.

Before you begin

  • Cloudera requires the Azure AD sAMAccountName attribute for the SAML group claim mapping. As per Configure group claims for applications by using Azure Active Directory, sAMAccountName is not available with SAML on groups created in Azure AD; It is available only on groups created with on-premises AD and synced to Azure AD. If you only use Azure AD without on premises AD you can use SCIM to sync group memberships to Cloudera. See Configure SCIM with Azure AD.
  • In order to be compatible with Cloudera, your Azure AD should be configured to synchronize with on-premises Active Directory via Azure AD Connect sync tool. As per Azure documentation, you must use Azure AD Connect 1.2.70.0 or newer.

Required role: PowerUser

Steps

  1. Log in to Cloudera web interface and navigate to Cloudera Management Console> User Management, select the Identity Providers tab and click on Create Identity Provider to create an identity provider.

  2. Name your identity provider in Cloudera, for example MyCompany_AAD.

  3. Click Create.

  4. Click on MyCompany_AAD on Cloudera console and copy the CDP SAML Service Provider Metadata to an XML file (for example, saml-metadata.xml). You will need it later.

  5. Open another web browser window, navigate to https://portal.azure.com/, and log in to your Azure Portal.

  6. On your Azure Portal, navigate to the Azure Active Directory.

  7. Select the Enterprise applications service.

  8. Click on the +New application button.

  9. Select the Non-gallery application.

  10. Give the application a name, for example. CDP_id_federation.

  11. Click on the +Add button.

  12. Once the application is added, go to 2. Set up single sign on .

  13. Upload the metadata XML file that you saved in the earlier step.

  14. Download the Federation Metadata xml for your Azure AD application and save it on your computer.

  15. Switch back to Cloudera web interface and upload the metadata saved from AD and update the identity provider.
    1. Find the identity provider that you just created in Cloudera.
    2. Click the Actions button and select Update Identity Provider.
    3. On the Identity Provider window, upload the metadata XML file that you saved previously or copy and paste the content of that XML file:
    4. Verify the updates and click Update.
  16. Switch back to Azure AD Azure Portal browser window.

  17. Edit 1.Basic SAML Configuration:
    1. Make sure that the value for Identifier (Entity ID) is populated, for example “urn:cloudera:cdp:<Identity-Provider-Id>” or “urn:cloudera:altus” for legacy identity provider. Check the Service Provider Metadata to determine which identifier to use.
    2. From Cloudera SAML Service Provider Metadata you saved earlier, copy the AssertionConsumerService > Location value and paste it into the line Reply URL (Assertion Consumer Service URL).
  18. Edit 2.User Attributes & Claims:
    1. If the customer is using on-prem Active Directory and Active Directory Connect to sync with Azure AD, you will be able to import Azure AD groups into Cloudera. Click +Add a group claim.
    2. On the Group Claims blade, do the following:
      1. Select Security groups or Groups assigned to the application.
      2. Select Source Attribute sAMAccountName.
      3. Check the Customize the name of the group claim. Optionally configure Group filtering for fine control of the list of groups that are included as part of the group claim. When a filter is configured, only groups that match the filter will be included in the group's claim that is sent to Cloudera. For more information, see Azure AD group filtering.
      4. Enter “groups” in Name (Required).
      5. Namespace enter https://cdp.cloudera.com/SAML/Attributes.
      6. Click Save.
    3. For the rest of the claims, follow the instructions at Configuring your enterprise IdP to work with CDP.

      If your NameID is an opaque ID (such as a UUID), you can Generate workload usernames based on email.

    Name Namespace Source Source Attribute
    Unique User Identifier (Name ID) Attribute user.objectid
    firstName https://cdp.cloudera.com/SAML/Attributes Attribute user.givenname
    lastName https://cdp.cloudera.com/SAML/Attributes Attribute user.surname
    mail Attribute user.mail
  19. Click on the SAML-based Sign-On on the top.
  20. Test this application.

  21. Once these steps are completed, a Cloudera user will be able to log in with their integrated Azure AD identity through their Office 365 applications page (Office.com). A new tile will appear for the Cloudera application created above:

    Once a user signs in, the User and Groups will show up on the Cloudera Management Console’s User Management screen. Navigate to your office 365 applications page, click on the new tile that was created for Cloudera, and verify that you are able to log in.

  22. Once a user signs in, the User and Groups will show up on the Cloudera Management Console’s User Management screen.
What to do next:
  • Assign users to groups within your Azure AD that you will map to roles in Cloudera.
  • Assign Cloudera roles to either the new users or the groups as appropriate.