Configuring your enterprise IdP to work with CDP as a service provider

CDP provides a service provider SAML metadata file that describes the information that CDP requires to enable users to log in to CDP through your enterprise IdP.

You can download the CDP SAML metadata XML file from the following location: https://cdp.cloudera.com/iam/downloads/saml-metadata.xml.

The CDP SAML metadata file includes the following information:

Information Attribute Description
Name ID formats that CDP supports NameIDFormat The metadata includes multiple name ID formats. Use one of the formats in the list for the user ID.

CDP supports any type of name ID format other than transient. Cloudera requires that you use name ID formats that are globally unique within your identity provider. The name ID format should also be stable over time. Cloudera does not recommend using email addresses because, although they can be unique, they are typically not stable over time.

CDP SSO URL Location The value provided for the CDP SSO URL in the CDP SAML metadata file is not complete, containing only the CDP domain. You must add the query parameter that includes the CDP identity provider ID:

https://consoleauth.cdp.cloudera.com/saml?samlProviderId=CDP-assigned-ID

For more information about the ID that CDP generates and assigns to the CDP identity provider, see Setting Up the Identity Provider in CDP.

Required.

Endpoint for binding Binding Use the following URN as the endpoint that your enterprise IdP must bind to:

urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

Required.

User email address RequestedAttribute: email Set the email address attribute to the following URN:

urn:oid:0.9.2342.19200300.100.1.3

Required. Although CDP requires the user email address, it is used for display purposes only.

List of groups that the user is a member of RequestedAttribute: groups Set the group list attribute to the following URN:

https://cdp.cloudera.com/SAML/Attributes/groups

Optional. For more information about the group list and how CDP synchronizes group membership, see Group Membership Synchronization.

User first name RequestedAttribute: firstName Set the user first name attribute to the following URN:

https://cdp.cloudera.com/SAML/Attributes/firstName

Optional. Used for display purposes only.

User last name RequestedAttribute: lastName Set the user last name attribute to the following URN:

https://cdp.cloudera.com/SAML/Attributes/lastName

Optional. Used for display purposes only.

If your enterprise IdP allows it, you can upload the CDP SAML metadata file to your enterprise IdP. Otherwise, use your enterprise IdP user interface to set up CDP as a service provider.