Disabling Cloudera SSO Login

The Cloudera Single Sign-On (CSSO) login option is only meant to serve as the bootstrap IdP, it is not meant for enterprise user access controls as it lacks company specific policy compliance. You must disable the CSSO login option after you complete the identity federation setup between Cloudera and your enterprise IdP, you should disable the Cloudera SSO login option so that user logins are subject to your customer specific enterprise security policies and controls. Cloudera SSO login option is only meant to serve as the bootstrap IdP; it is not meant for enterprise user access controls and it lacks company specific policy compliance.

After configuring your IdP, contact Cloudera Support to restrict all CSSO access. Cloudera Support will disable the "Cloudera SSO All Login Enabled" setting for your account. When all CSSO logins are restricted, you will see the following information on the UI:

You can contact Cloudera Support to re-enable CSSO by your account administrator if your configuration is corrupted, and no PowerUsers can log in through your IdP.

For added security prior to fully disabling CSSO, the account administrator or a PowerUser can restrict CSSO logins to only the account administrator.

Required role: Account administrator or PowerUser

Steps

1. Sign in to the Cloudera web interface.

2. From the Cloudera home page, click Cloudera Management Console.

3. In the User Management section of the side navigation panel, click Identity Providers.

   The Identity Providers page shows the status of the Cloudera SSO Login option.

4. Click Disable to prevent users from logging in through the Cloudera registration and login page.

   When the Cloudera SSO Login option is disabled, all Cloudera users except the Cloudera account administrators must log in through the identity management system in your organization. To log in to Cloudera, a user must be among the users included in the identity providers that you set up in Cloudera.