Release 7.1.2
Page tree


Support | BlogContact Us 

Versions Compared

Old Version 10

changes.mady.by.user docuser1

Saved on

compared with

New Version Current

changes.mady.by.user docuser1

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Info

NOTE: Spaces are not supported in values for hadoopPrincipal and ssoPrincipal. Suggested format: lastName.firstName.


Prep

Warning

Before you begin, you should create a backup of your

D s triconf
file.

...

Acquire SAML claims from your identity provider

 


Check the following SAML claims in your identify provider. Verify that it is sending the following pieces of information. Below are the default attributes that are expected by the platform:

...

Tip

Tip: If you do not have access to the IDP configuration, you can search the response back from your IDP for the following:

Code Block
<saml: Attribute Name="

The full value inside the double quotes must be set as the second value in the MellonSetEnv properties file. To see the decoded SAML response, you can use a Chrome plugin like 'rcFederation SAML, WS-Federation and OAuth tracer'.

 


Configure SAML for the platform

...

  1. The following script must be run as the root user.

  2. On the 

    D s node
    , navigate to the following directory:

    Code Block
    cd /opt/trifacta/webapp/bin


  3. Execute the following script:

    Code Block
    $ ./saml-sp-metadata-generator.js <hostname>

    where <hostname> is the host value for your 

    D s node
    . Do not include the protocol identifier (e.g. http://) or the port number as part of this value.

  4. The above script outputs the following:

    Tip

    Tip: The objects, paths, and filenames generated by this script are automatically in place for use by the platform. To use other objects, you must configure the paths in the platform, as described later in this section.


    ItemDescriptionHow to Use
    Signing Private key Path to generated private key for signingIf the path is the default one and no asset exists there, then the setup script generates the asset for you.
    Signing Certificate Path to generated certificate for signingSee previous.
    Encryption Private keyPath to generated private key for encryptionSee previous.
    Encryption CertificatePath to generated certificate for encryptionSee previous.
    MetadataMetadata file saml-sp-metadata.xml for your identity providerSee next step.


  5. The saml-sp-metadata.xml file in the same directory where you executed the script can be uploaded to your identity provider.
  6. D s config
    methoda

  7. Configure the following settings:

    SettingDescriptionValue
    "webapp.sso.enable"

    Enables use of SSO by the

    D s webapp
    .

    		Set this value to false.
    "webapp.sso.disableAuthGateway"When SSO is enabled, this value should be set to true to disable the use of the reverse proxy server, which is not used in SAML authentication.Set this value to true.
    "webapp.sso.enableAutoRegistration"Enables users to auto-register an account with the platform when they connect to the login page.To enable automatic access with SSO-authenticated users, set this value to true. To require administrator provisioning of user accounts, set this value to false. For more information, see Manage Users under SSO.


  8. Enable use of SAML by the 

    D s webapp
    :

    D s triconf
    setting

    		Description

    "webapp.saml.enabled"

    		Set this value to true.
    "webapp.saml.server.entityId"Set this value to the URI of the enterprise SAML server.


  9. If your identity provider is sending attribute values that differ from the values expected by the platform, please configure those values in the following properties:

    D s triconf
    setting

    		DescriptionSAML attribute
    "webapp.saml.mapping.ssoPrincipal"SAML profile attribute that defines a user's SSO principal. Spaces are not supported.userPrincipalName
    "webapp.saml.mapping.name"

    SAML profile attribute that defines a user's name.

    		name

    "webapp.saml.mapping.hadoopPrincipal"

    SAML profile attribute that defines a user's Hadoop principal. Spaces are not supported.

    		userPrincipalName

    "webapp.saml.mapping.email"

    SAML profile attribute that defines a user's email.

    		mail


  10. Configure the path to IDP metadata file, which you should have already downloaded to the 

    D s node

    Tip

    Tip: Unless you wish to move the file to a different directory, this value does not need to be changed.


    D s triconf
    setting

    		Description

    "webapp.saml.idpMetaDataPath"

    Path to the IDP metadata file that you downloaded to the

    D s node
    .

    Info

    NOTE: This value is required and should already be specified to the default location previously listed.



  11. Configure SAML call back URLs, if needed. These values do not require modifying in most cases.

    D s triconf
    setting

    		Description

    "webapp.saml.server.logoutCallbackUrl"

    		URL to which user is redirected after logout. This value must end with /saml/logout/callback.
    "webapp.saml.server.callbackUrl"URL to which user is redirected after authentication. This value must end with /saml/login/callback?redirect_to=/.


  12. Configure paths to security certificates. Modify only if you have stored your keys in non-default locations or filenames: 

    D s triconf
    setting

    		DescriptionDefault path
    "webapp.saml.security.signingCertPath"This signing certificate must be a public certificate that matches the private key./opt/trifacta/conf/.key/saml-signing-public-key.cert
    "webapp.saml.security.privateCertPath"This private key must match the public signing certificate. Authentication requests can be signed using RSA-SHA1. The private key must be in PEM format.
    Authentication requests can be signed using RSA-SHA1. To sign them you need to provide a private key in the PEM format.    		/opt/trifacta/conf/.key/saml-signing-private-key.key
    "webapp.saml.security.decryptionPvkPath"This private key is used for decrypting any encrypted assertions received by the platform. /opt/trifacta/conf/.key/saml-decryption-private-key.key
    "webapp.saml.security.decryptionCertPath"This public certificate must match the private key for decryption./opt/trifacta/conf/.key/saml-decryption-public-key.cert



  13. (optional) In some SAML environments, such as Active Directory Federation Services (AD FS), the SAML Identity Provider makes its own choice for what authentication factors to use when authenticating a user. In these environments, you may wish to disable a request for the authentication context with the identity provider. Users may encounter an error similar to the following:

    Code Block
    "Authentication method 'X509, MultiFactor, MultiFactorFederated' by which the user authenticated with the service doesn't match requested authentication method 'Password, ProtectedTransport'"


    Info

    NOTE: This feature is available via Hot Fix. For more information, please contact 

    D s support
    .


    D s triconf
    setting

    		Description
    "webapp.saml.disableRequestedAuthnContext"

    When set to true, the

    D s webapp
    does not include a request for a specific authentication context, which is unnecessary because the identity provider has already determined the authentication method.

    (default) When set to false, the

    D s webapp
    requests the authentication context from the identity provider.

    Tip

    Tip: In most environments, this setting should be false, which is the default.




    Info

    NOTE: This feature is available via Hot Fix. For more information, please contact 

    D s support
    .


  14. Save the file.

Managing Principal Case

...

© 2013-2023 Alteryx® Inc Privacy Policy  |  Terms of Use