Setting up the identity provider in Cloudera

In Cloudera, you must create an identity provider to capture the SAML metadata and connection information for your enterprise IdP. To create an identity provider in Cloudera, you must be a Cloudera account administrator or have the PowerUser role.

note

Creating and integrating with identity providers should be considered a privileged action and you must think about how it will affect group memberships within Cloudera. Each identity provider manages their own unique set of group names and memberships. However, different identity providers can define the same group names. When users from different identity providers federate to Cloudera (with group sync on) the identity providers may provide the same group names. Since groups in Cloudera are defined by their name - as provided by the identity provider - when this happens, users will be added to the same group in Cloudera, even though they federated from different identity providers. This may grant unexpected permissions. If your organization needs group names to be unique across all identity providers federating to Cloudera, our recommended approach is to create different Cloudera accounts for each identity provider, and only set up one identity provider to federate to a Cloudera account.

Required role: Account administrator or PowerUser

Sign in to the Cloudera console.
From the Cloudera home page, click Cloudera Management Console.
In the User Management section of the side navigation panel, click Identity Providers.
Click Create Identity Provider.
On the Create Identity Provider window, enter the name you want to use for the Cloudera identity provider.
Select whether to synchronize the user group membership in Cloudera with the user group membership in your enterprise IdP.
To synchronize the groups, select the Sync Groups on Login option.
For more information about user group synchronization, see Synchronizing group membership.
In Provider Metadata, select File Upload to upload a file that contains the identity provider SAML metadata or select Direct Input to paste the identity provider SAML metadata directly.
Click Create.

Cloudera adds the new identity provider to the list of Cloudera identity providers on the Identity Providers page.

After you create the identity provider in Cloudera, you can view its properties to get the information you need to configure your enterprise IdP to work with Cloudera.

On the Identity Providers page, click the name of the new Cloudera identity provider to see its properties:


Property	Description
Name	Name of the Cloudera identity provider.
ID	ID generated for the Cloudera identity provider.
Sync Groups on Login	Indicates whether Cloudera synchronizes a user's group membership in Cloudera with the user's group membership in your enterprise IdP when a user logs in. For more information about user group synchronization, see Group Membership Synchronization.
CRN	The Cloudera resource name assigned to the Cloudera identity provider.
SAML Identity Provider Metadata	The identity provider SAML metadata for your enterprise IdP that you provided when you created the Cloudera identity provider.
Generate workload username by email	You can optionally check this if you use an opaque ID for SAML `NameID` and SCIM `userName` so that the workload username is generated based on the email instead of the default. For more information, see Generating workload usernames based on email.
Enable SCIM	You can optionally check this to enable SCIM for Azure AD. For more information, see Configure SCIM with Azure AD.
Cloudera SAML Service Provider Metadata	The Cloudera SAML service provider metadata to configure your enterprise IdP.