Disabling the Cloudera SSO login
After you complete the identity federation setup between Cloudera and your enterprise IdP, you should disable the Cloudera SSO login option so that user logins are subject to your customer specific enterprise security policies and controls. Cloudera SSO login option is only meant to serve as the bootstrap IdP; it is not meant for enterprise user access controls and it lacks company specific policy compliance.
When you disable Cloudera SSO login for non-administrator users, CDP users must log in to CDP through the identity management system in your organization. Only the designated account administrator for your CDP subscription can log in to CDP through the Cloudera registration and login page.
Even after you disable the Cloudera SSO login, the designated account administrator can log in to CDP using their Cloudera SSO credentials. For added security, you can restrict all Cloudera SSO access (including the designated account administrator's access) by contacting Cloudera Support and they can disable or enable the "Cloudera SSO All Login Enabled" setting for your account. You can see "Cloudera SSO All Login Enabled" setting on the UI. When all Cloudera SSO logins are restricted, you will see this on the UI:
Required role: Account administrator or PowerUser
Steps
Sign in to the CDP web interface.
From the CDP home page, click Management Console.
In the User Management section of the side navigation panel, click Identity Providers.
The Identity Providers page shows the status of the Cloudera SSO Login option.
Click Disable to prevent users from logging in through the Cloudera registration and login page.
When the Cloudera SSO Login option is disabled, all CDP users except the CDP account administrators must log in through the identity management system in your organization. To log in to CDP, a user must be among the users included in the identity providers that you set up in CDP.