Configuring Azure Active Directory identity federation in CDP
You can onboard users by configuring Azure Active Directory (Azure AD) identity federation with CDP.
Steps
-
Log in to CDP web interface and navigate to Management Console > User Management, select the Identity Providers tab and click on Create Identity Provider to create an identity provider.
-
Name your identity provider in CDP, for example MyCompany_AAD, and upload the metadata XMLfile that you saved previously.
-
Click Create.
-
Click on MyCompany_AAD on CDP console and copy the CDP SAML Service Provider Metadata to an XML file (for example, saml-metadata.xml). You will need it later.
-
Open another web browser window, navigate to
https://portal.azure.com/
, and log in to your Azure Portal. -
On your Azure Portal, navigate to the Azure Active Directory.
-
Select the Enterprise applications service.
-
Click on the +New application button.
-
Select the Non-gallery application.
-
Give the application a name, for example. CDP_id_federation.
-
Click on the +Add button.
-
Once the application is added, go to 2. Set up single sign on .
-
Upload the metadata XML file that you saved in the earlier step.
-
Download the
Federation Metadata xml
for your Azure AD application and save it on your computer. -
Switch back to CDP web interface and upload the metadata saved from AD and update the identity provider.
- Find the identity provider that you just created in CDP.
- Click the Actions button and select Update Identity Provider.
- On the Identity Provider window, upload the metadata XML file that you saved
previously or copy and paste the content of that XML file:
- Verify the updates and click Update.
-
Switch back to Azure AD Azure Portal browser window.
-
Edit 1.Basic SAML Configuration:
- Make sure that the value for Identifier (Entity ID) is populated, for example “urn:cloudera:cdp:<Identity-Provider-Id>” or “urn:cloudera:altus” for legacy identity provider. Check the Service Provider Metadata to determine which identifier to use.
- From CDP SAML Service Provider Metadata you saved earlier, copy the AssertionConsumerService > Location value and paste it into the line Reply URL (Assertion Consumer Service URL).
- Edit 2.User Attributes & Claims:
- If the customer is using on-prem Active Directory and Active Directory Connect to sync with Azure AD, you will be able to import Azure AD groups into CDP. Click +Add a group claim.
- On the Group Claims blade, do the following:
- Select Security groups or Groups assigned to the application.
- Select Source Attribute sAMAccountName.
- Check the Customize the name of the group claim.
- Enter “groups” in Name (Required).
- Namespace enter
https://cdp.cloudera.com/SAML/Attributes
. - Click Save.
- For the rest of the claims, follow the instructions at Configuring your enterprise IdP to work with CDP.
Name Namespace Source Source Attribute firstName https://cdp.cloudera.com/SAML/Attributes Attribute user.givenname lastName https://cdp.cloudera.com/SAML/Attributes Attribute user.surname mail Attribute user.mail - Click on the SAML-based Sign-On on the top.
-
Test this application.
Once these steps are completed, a CDP user will login with their integrated Azure AD identity through their Office 365 applications page (Office.com). A new tile will appear for the CDP application created above.

Once a user signs in, the User and Groups will show up on the CDP Management Console’s User Management screen.
- Assign users to groups within your Azure AD that you will map to roles in CDP.
- Assign CDP roles to either the new users or the groups as appropriate.