Configuring your enterprise IdP to work with Cloudera as a service provider
Cloudera provides a service provider SAML metadata file that describes the information that Cloudera requires to enable users to log in to Cloudera through your enterprise IdP.
You can get the Cloudera SAML metadata XML from the Identity Providers page in Cloudera web interface by navigating to the details of your identity provider configuration.
The Cloudera SAML metadata file includes the following information:
| Information | Attribute | Description |
|---|---|---|
| Name ID formats that Cloudera supports | NameIDFormat | The metadata includes multiple name ID formats. Use one of the formats in the
list for the user ID. Cloudera supports any type of name ID format other than transient. Cloudera requires that you use name ID formats that are globally unique within your identity provider. The name ID format should also be stable over time. Cloudera does not recommend using email addresses because, although they can be unique, they are typically not stable over time. If your NameID is an opaque ID (such as a UUID), you can Generate workload usernames based on email. The value of NameID is case-sensitive. |
| Cloudera SSO URL | Location | It should be the same as the "Location" value of the
"<AssertionConsumerService>" in the Cloudera SAML
Service Provider metadata. It has a fixed format. For Cloudera Control Plane region
us-west-1: For any other Cloudera Control Plane region: https://consoleauth.<CONTROL_PLANE_REGION>.cdp.cloudera.com/consoleauth/saml?samlProviderId=CDP-assigned-IDFor more information about the ID that Cloudera generates and assigns to the Cloudera identity provider, see Setting Up the Identity Provider in CDP. This attribute is required. |
| Endpoint for binding | Binding | Use the following URN as the endpoint that your enterprise IdP must bind
to:
This attribute is required. |
| User email address | RequestedAttribute: mail
|
Set the email address attribute to the following
URN:
Cloudera also accepts:
This attribute is required. Although Cloudera requires the user email address, it is used for display purposes only. |
| (Optional) List of groups that the user is a member of | RequestedAttribute: groups
|
Set the group list attribute to the following
URN:
This attribute is optional. For more information about the group list and how Cloudera synchronizes group membership, see Synchronizing Group Membership. |
| (Optional) User first name | RequestedAttribute: firstName
|
Set the user first name attribute to the following
URN:
This attribute is optional; used for display purposes only. |
| (Optional) User last name | RequestedAttribute: lastName
|
Set the user last name attribute to the following
URN:
This attribute is optional; used for display purposes only. |
If your enterprise IdP allows it, you can upload the Cloudera SAML metadata file to your enterprise IdP. Otherwise, use your enterprise IdP user interface to set up Cloudera as a service provider.
