Cloudera Docs

Configuring Azure Active Directory identity federation in CDP

You can onboard users by configuring Azure Active Directory (Azure AD) identity federation with CDP.

Steps

  1. Log in to CDP web interface and navigate to Management Console > User Management > select the Identity Providers tab.

  2. Download the CDP saml-metadata.XML file (from https://cdp.cloudera.com/iam/downloads/saml-metadata.xml) onto your computer. You will need it later.

  3. Open another web browser window, navigate to https://portal.azure.com/, and log in to your Azure Portal.

  4. On your Azure Portal, navigate to the Azure Active Directory.

  5. Select the Enterprise applications service.

  6. Click on the +New application button.

  7. Select the Non-gallery application.

  8. Give the application a name, for example. CDP_id_federation.

  9. Click on the +Add button.

  10. Once the application is added, go to 2. Set up single sign on .

  11. Upload the metadata XML file that you saved in the earlier step.

  12. Download the Federation Metadata xml for your Azure AD application and save it on your computer.

  13. Switch back to CDP web interface > Management Console browser window. Click on User Management > Identity Provider on that page to create an identity provider.

  14. Name your identity Provider in CDP, for example MyCompany_AAD, and upload the metadata XMLfile that you saved previously.

  15. Click Create.

  16. Click on MyCompany_AAD on CDP console and copy the Single Sign On URL. You will need it later.

  17. Switch back to Azure AD Azure Portal browser window.

  18. Edit 1.Basic SAML Configuration:
    1. Make sure the value for Identifier (Entity ID) is populated like “urn:cloudera:altus”. If you are federating multiple ID providers, each Identifier (Entity ID) will need to be unique.
    2. Paste the value from the Single Sign On URL you copied earlier into the line Reply URL (Assertion Consumer Service URL).
  19. Edit 2.User Attributes & Claims:
    1. If the customer is using on-prem Active Directory and Active Directory Connect to sync with Azure AD, you will be able to import Azure AD groups into CDP. Click +Add a group claim.
    2. On the Group Claims blade, do the following:
      1. Select Security groups or Groups assigned to the application.
      2. Select Source Attribute sAMAccountName.
      3. Check the Customize the name of the group claim.
      4. Enter “groups” in Name (Required).
      5. Namespace enter https://cdp.cloudera.com/SAML/Attributes.
      6. Click Save.
    3. For the rest of the claims, follow the instructions at Configuring your enterprise IdP to work with CDP.
    Name Namespace Source Source Attribute
    firstName https://cdp.cloudera.com/SAML/Attributes Attribute user.givenname
    lastName https://cdp.cloudera.com/SAML/Attributes Attribute user.surname
    mail Attribute user.mail
  20. Click on the SAML-based Sign-On on the top.

  21. Test this application.

Once these steps are completed, a CDP user will login with their integrated Azure AD identity through their Office 365 applications page (Office.com). A new tile will appear for the CDP application created above.

Once a user signs in, the User and Groups will show up on the CDP Management Console’s User Management screen.

What to do next:
  • Assign users to groups within your Azure AD that you will map to roles in CDP.
  • Assign CDP roles to either the new users or the groups as appropriate.