The can be configured to provide single sign-on (SSO) logins with Active Directory/Lightweight Directory Access Protocol (AD/LDAP). These steps allow you to enable auto-provisioning of new users to the platform if they can authenticate through LDAP.
Do not use this configuration for the following:
By default, our SP uses transient NameID format. Not all SAML providers will accept transient. You may have to change the metadata file to use something like the following:
NOTE: Spaces are not supported in values for hadoopPrincipal and ssoPrincipal. Suggested format:
Before you begin, you should create a backup of your file.
If you prefer to have users connect to the platform over HTTPS, you should enable it before completing the SAML setup. For more information, see Install SSL Certificate.
To enable secure auth using SAML, you must deploy the following keys to the .
NOTE: When the SAML setup script is executed, the following keys and certs are created for your use and stored in the default locations listed below. If you prefer, you can copy in your own keys and certificates for the platform to use. If the paths or filenames differ from the defaults listed below, you must modify the configuration, which is described later.
Default path on
|Public signing certificate||/opt/trifacta/conf/.key/saml-signing-public-key.cert|
|Private signing key||/opt/trifacta/conf/.key/saml-signing-private-key.key|
|Public decryption certificate||/opt/trifacta/conf/.key/saml-decryption-public-key.cert|
|Private decryption key||/opt/trifacta/conf/.key/saml-decryption-private-key.key|
From your identity provider, please acquire the public metadata file and transfer it to the .
Please store the file in the following location:
After the file is transferred to the , the platform must be made aware of it. These steps are covered below.
Check the following SAML claims in your identify provider. Verify that it is sending the following pieces of information. Below are the default attributes that are expected by the platform:
NOTE: Please note any differences between the expected default attribute names below and the values in your identity provider. These values must be updated in the platform, as described later.
|Information||Default SAML Attribute Name|
Tip: If you do not have access to the IDP configuration, you can search the response back from your IDP for the following:
The full value inside the double quotes must be set as the second value in the MellonSetEnv properties file. To see the decoded SAML response, you can use a Chrome plugin like 'rcFederation SAML, WS-Federation and OAuth tracer'.
Please complete the following steps to configure the platform to use your enterprise SAML authentication:
The following script must be run as the
On the , navigate to the following directory:
Execute the following script:
$ ./saml-sp-metadata-generator.js <hostname>
<hostname> is the host value for your . Do not include the protocol identifier (e.g.
http://) or the port number as part of this value.
The above script outputs the following:
Tip: The objects, paths, and filenames generated by this script are automatically in place for use by the platform. To use other objects, you must configure the paths in the platform, as described later in this section.
|Item||Description||How to Use|
|Signing Private key||Path to generated private key for signing||If the path is the default one and no asset exists there, then the setup script generates the asset for you.|
|Signing Certificate||Path to generated certificate for signing||See previous.|
|Encryption Private key||Path to generated private key for encryption||See previous.|
|Encryption Certificate||Path to generated certificate for encryption||See previous.|
|Metadata||Metadata file ||See next step.|
saml-sp-metadata.xmlfile in the same directory where you executed the script can be uploaded to your identity provider.
Configure the following settings:
Enables use of SSO by the .
|Set this value to |
|"webapp.sso.disableAuthGateway"||When SSO is enabled, this value should be set to ||Set this value to |
|"webapp.sso.enableAutoRegistration"||Enables users to auto-register an account with the platform when they connect to the login page.||To enable automatic access with SSO-authenticated users, set this value to |
Enable use of SAML by the :
|Set this value to |
|"webapp.saml.server.entityId"||Set this value to the URI of the enterprise SAML server.|
If your identity provider is sending attribute values that differ from the values expected by the platform, please configure those values in the following properties:
|"webapp.saml.mapping.ssoPrincipal"||SAML profile attribute that defines a user's SSO principal. Spaces are not supported.||userPrincipalName|
SAML profile attribute that defines a user's name.
SAML profile attribute that defines a user's Hadoop principal. Spaces are not supported.
SAML profile attribute that defines a user's email.
Configure the path to IDP metadata file, which you should have already downloaded to the .
Tip: Unless you wish to move the file to a different directory, this value does not need to be changed.
Path to the IDP metadata file that you downloaded to the .
Configure SAML call back URLs, if needed. These values do not require modifying in most cases.
|URL to which user is redirected after logout. This value must end with |
|"webapp.saml.server.callbackUrl"||URL to which user is redirected after authentication. This value must end with |
Configure paths to security certificates. Modify only if you have stored your keys in non-default locations or filenames:
|"webapp.saml.security.signingCertPath"||This signing certificate must be a public certificate that matches the private key.||/opt/trifacta/conf/.key/saml-signing-public-key.cert|
|"webapp.saml.security.privateCertPath"||This private key must match the public signing certificate. Authentication requests can be signed using RSA-SHA1. The private key must be in PEM format. |
Authentication requests can be signed using RSA-SHA1. To sign them you need to provide a private key in the PEM format.
|"webapp.saml.security.decryptionPvkPath"||This private key is used for decrypting any encrypted assertions received by the platform.||/opt/trifacta/conf/.key/saml-decryption-private-key.key|
|"webapp.saml.security.decryptionCertPath"||This public certificate must match the private key for decryption.||/opt/trifacta/conf/.key/saml-decryption-public-key.cert|
(optional) In some SAML environments, such as Active Directory Federation Services (AD FS), the SAML Identity Provider makes its own choice for what authentication factors to use when authenticating a user. In these environments, you may wish to disable a request for the authentication context with the identity provider. Users may encounter an error similar to the following:
"Authentication method 'X509, MultiFactor, MultiFactorFederated' by which the user authenticated with the service doesn't match requested authentication method 'Password, ProtectedTransport'"
NOTE: This feature is available via Hot Fix. For more information, please contact .
When set to
(default) When set to
Save the file.
As needed, you can configure the to force captured principal values to lowercase. This standardization is applied throughout the platform, which may prevent connectivity or impersonation issues due to case mismatches.
Locate the following parameters, which govern case conversion in the platform of the SSO and Hadoop principals for SAML SSO:
"webapp.saml.mapping.ssoPrincipalToLowerCase": false, "webapp.saml.mapping.hadoopPrincipalToLowerCase": true,
For more information, see Manage Users under SSO.