Synchronizing group membership
Cloudera can synchronize the user's group membership provided by your enterprise IdP with the user's group membership in Cloudera.
When a user initially logs in to Cloudera through the identity management system in your organization, Cloudera creates a Cloudera user account for the user. However, without being assigned Cloudera roles, the user cannot perform tasks in Cloudera. Cloudera recommends that you create Cloudera groups with assigned roles and add users to the groups so that the users can take on the roles assigned to the groups.
When you create an identity provider, you can select the Sync Groups on Login option to enable Cloudera to synchronize the user group membership. By default, the Sync Groups on Login option is disabled. Clear the option selection if you do not want Cloudera to synchronize the user group membership.
Group names must be alphanumeric, may include dots (.), hyphens (-), and underscores (_), and must be fewer than 64 characters long. Additionally, names can only start with an alphabetic character or an underscore.
Sync Groups on Login enabled
When the Sync Groups on Login option is enabled, Cloudera synchronizes a user's group in the following manner:
- The group membership that your enterprise IdP specifies for a user overrides the group membership set up in Cloudera. Each time a user logs in, Cloudera updates the user's group membership based on the groups that your enterprise IdP specifies for the user.
- If the group exists in Cloudera, Cloudera adds the user to the group. The user takes on all the roles associated with the group.
- If the group does not exist in Cloudera, Cloudera creates the group and adds the user to the group. However, no roles are assigned to the new group, so a member of the new group does not take on roles from the group.
- If the user is a member of a group in Cloudera that is not included in the list provided by your enterprise IdP, Cloudera removes the user from the group.
- If the list of groups from your enterprise IdP is empty, Cloudera removes the user from all groups in Cloudera. After login, the user will not be a member of any Cloudera group and will not have roles from any group.
To ensure that users can perform tasks in Cloudera, Cloudera recommends that you set up the groups in Cloudera with appropriate roles before you assign them to users.
Sync Groups on Login disabled
When the Sync Groups on Login option is disabled, Cloudera does not synchronize the user's group membership in CDP with the user's group membership provided by the IdP. After login, a user's group membership in Cloudera is determined by the Cloudera groups assigned to the user in Cloudera. The groups assigned to the user in your enterprise IdP are ignored.
Sync Membership option for a newly created group
Additionally, once you have synced your IdP and you create a new group in Cloudera, you have an option called Sync Membership that determines whether group membership is synced to IdP when a user logs in. By default, Sync Membership is enabled when Sync Groups on Login is enabled.
The following table describes how the global Sync Groups on Login and the per-group Sync Membership options can be used:
IdP Sync Groups on Login on |
IdP Sync Groups on Login off |
|
Group Sync Membership on |
Group membership for the specific group is reflected in IdP. | Group membership for the specific group is not reflected in IdP. |
Group Sync Membership off |
Group membership for the specific group is not reflected in IdP. | Group membership for the specific group is not reflected in IdP. |
In other words, if Sync Groups on Login is off at the IdP level, then no groups are getting synced regardless of what the setting for Sync Membership is. But if Sync Groups on Login is turned on at the IDP level, then you have the option to override it for certain groups that you explicitly leave off.
