Skip to main content

Configure SSO for AD-LDAP

The Designer Cloud Powered by Trifacta platform can be configured to provide single sign-on (SSO) logins with Active Directory/Lightweight Directory Access Protocol (AD/LDAP). These steps allow you to enable auto-provisioning of new users to the platform if they can authenticate through LDAP.

  • If auto-provisioning is not desired, after completing the basic configuration, you can disable auto-provisioning using the steps listed in the Advanced Configuration section.

  • Single Sign-On (SSO) authentication enables users to authenticate one time to access multiple systems. The SSO platform must translate its authentication into authentication methods executed against each system under SSO control. For more information, see https://en.wikipedia.org/wiki/Single_sign-on.

Do not use this configuration for the following:

Prerequisites

  1. You have already installed the Designer Cloud Powered by Trifacta platform.

    1. See System Requirements.

    2. See Install Software.

  2. Your enterprise uses AD/LDAP for User Identity and Authentication.

  3. You have the following required pieces of LDAP information available:

    1. The host and port of the AD/LDAP server against which to authenticate

    2. The base DN

    3. The bind DN and password

  4. You have installed LDAP utilities (ldap-utils) on the Trifacta node.

Verification for LDAP

Before you enable SSO to LDAP, you can use the following steps to verify that the Designer Cloud Powered by Trifacta platform is able to communicate with LDAP with the information provided by your LDAP administrator.

Steps:

  1. If you have not done so already, verify that you have the required pieces of LDAP information. See the previous section.

  2. To verify the above information, execute the following command:

    ldapsearch -H ldaps://<LDAP_SERVER_HOSTNAME>:<PORT> -x -b '<BASE_DN>' -D '<BIND_DN>' -w '<BIND_PASSWORD>' '(objectClass=*)' ['<attribute-name>'] | less

    Note

    Be sure to use single quotes (') in your command.

    where:

    Parameter

    Description

    ldap(s)://<LDAP_SERVER_HOSTNAME>:<PORT>

    Hostname and port number of the LDAP server, as provided by your LADP administrator. Please use ldaps as the protocol.

    <BASE_DN>

    Base DN value provided by your LDAP administrator

    <BIND_DN>

    Bind DN value provided by your LDAP administrator

    <BIND_PASSWORD>

    Bind password value provided by your LADP administrator

    (objectClass=*)

    Please include this string value.

    <attribute-name>

    (Optional) Comma-separated list of attributes to include back from the LDAP server.

    | less

    (Optional) Pipes lengthy output to page-by-page display tool.

  3. Anonymous binding: In the unlikely event that the LDAP server supports anonymous binding, the BIND_DN and BIND_PASSWORD values are not required, as in the following command:

    ldapsearch -H ldaps://<LDAP_SERVER_HOSTNAME>:<PORT> -x -b '<BASE_DN>' '(objectClass=*)' ['<attribute-name>'] | less
  4. Output:

    1. Success: Entire LDAP sub-tree is piped to the less tool for display.

    2. Failure: You have entered incorrect LDAP connection information. Please review the values and contact your LDAP administrator if needed.

Attribute Mapping

To provision users, the Designer Cloud Powered by Trifacta platform requires user profile information from attributes. The following are the default mappings:

Platform User Profile Field

Default AD attribute

Default LDAP attribute

email address

userPrincipalName

mail

sso-principal

uid

uid

hadoop-principal

uid

uid

userName

sAMAccountName

cn

The following is an example output of ldapsearch:

# jguy, Users, 56bb81bb6782d97b5c37b0cb, example.com
dn: uid=jguy,ou=Users,o=56bb81bb6782d97b5c37b0cb,dc=example,dc=com
sn: Joe
cn: Joe Guy
objectClass: top
loginShell: /bin/bash
homeDirectory: /home/jguy
uid: jguy
gidNumber: 5143
mail: jguy@example.com
givenName: Joe

In the above output, the cn, uid and mail attributes from LDAP are used by the platform. In this case, the sso-principal, email address, and name attribute are correct for Designer Cloud Powered by Trifacta platform use.

Note

If your output from ldapsearch indicates that you must use non-default attributes, you must modify the configuration based on your SSO method. Details are below.

SSO Auth Methods for AD-LDAP

The Designer Cloud Powered by Trifacta platform supports the following methods for integrating with AD-LDAP SSO:

  1. Native AD-LDAP support: Integrate to the enterprise SSO using platform-native configuration.

    Tip

    This method is recommended.

  2. Apache reverse proxy: Integrate the platform with an Apache reverse proxy server hosted on the Trifacta node. This node provides the connection to enterprise SSO.

    Note

    This older version of SSO integration is likely to be deprecated in a future release.

Configure for Native AD-LDAP SSO

This section covers setting up platform-native SSO integration with enterprise AD-LDAP.

Limitations:

The following limitations apply to the platform-native version of SSO for AD-LDAP. If these limitations apply to your environment, please use the reverse proxy version instead.

  • No support for multiple LDAP servers

  • No support for LDAP with SASL

  • No support for custom authentication form

Please complete the following steps to enable native platform integration with your enterprise LDAP provider.

Steps:

  1. Administrators can apply this configuration change through the Admin Settings Page in the application. If the application is not available, the settings are available in trifacta-conf.json. For more information, see Platform Configuration Methods.

  2. The following settings do not apply to this method of SSO integration. However:

    Note

    If you are switching from the reverse proxy method to this method, please verify that these settings are set to the values listed in the New Value column.

    Setting

    Description

    New Value

    "webapp.sso.enable"

    Enables use of reverse proxy SSO by the Trifacta Application.

    If changing SSO methods, set this value to false.

    "webapp.sso.disableAuthGateway"

    When set to true, the reverse proxy server is disabled.

    If changing SSO methods, set this value totrue.

    "webapp.sso.enableAutoRegistration"

    Enables users to auto-register an account with the platform when they connect to the login page.

    To enable automatic access with SSO-authenticated users, set this value totrue. To require administrator provisioning of user accounts, set this value to false. For more information, see Manage Users under SSO.

  3. Enable LDAP for the platform:

    trifacta-conf.json setting

    Description

    "webapp.ldap.enabled"

    Set this value to true to enable LDAP for the Trifacta Application.

  4. Configure location and properties of the enterprise LDAP server:

    trifacta-conf.json setting

    Description

    "webapp.ldap.server.url"

    The URL of the LDAP server

    "webapp.ldap.server.searchFilter"

    The search filter to use when querying the LDAP server for users. Default value is:

    (uid={{username}})

    "webapp.ldap.server.searchBase"

    The starting point on the LDAP server to begin the search for users.

    Note

    This value must be populated.

    Example value:

    dc=example,dc=org

    "webapp.ldap.server.searchAttributes"

    Array of attributes to retrieve from the LDAP server for a user. Modify this value only if your identity provider is sending different attributes.

    "webapp.ldap.server.internalCACertificatePath"

    Path to the CA certificate to use when connecting to the LDAP server over ldaps://.

    "webapp.ldap.server.bindDN"

    The distinguished name used to bind to the LDAP directory.

    Note

    By default, the Designer Cloud Powered by Trifacta platform uses the admin credentials listed here to perform the initial bind to the active directory. If each user's account is configured to be able to browse directory objects, you can configure the platform to use the individual accounts to perform the full authentication. See "Enable initial bind as user" below.

    Example value:

    cn=admin,dc=example,dc=org

    "webapp.ldap.server.bindCredentials"

    Password for simple authentication to the LDAP server.

  5. Configure the LDAP property mappings:

    trifacta-conf.json setting

    Description

    LDAP Property

    "webapp.ldap.mapping.ssoPrincipal"

    LDAP user property defining a user's ssoPrincipal.

    uid

    "webapp.ldap.mapping.name"

    LDAP user property defining a user's name.

    cn

    "webapp.ldap.mapping.hadoopPrincipal"

    LDAP user property defining a user's hadoopPrincipal.

    Note

    This value must be a case-sensitive match to the value of the LDAP attribute.

    uid

    "webapp.ldap.mapping.email"

    LDAP user property defining a user's email.

    mail

  6. Save the file.

  7. Restart the platform.

  8. Test authentication.

Use SSL for Native SSO Auth

To enforce SSL connections to the platform, you can create and install an SSL certificate. This certificate is also used when platform-native LDAP integration is enabled. For more information, see Install SSL Certificate.

Listening Port

Defaults:

  • If enabled, SSL utilizes port number 443.

  • By default, the platform is configured to use 3005.

If needed, you can change the listening port for the platform to match the port required for your deployment. For more information, see Change Listening Port.

Enable initial bind as user

By default, the Designer Cloud Powered by Trifacta platform utilizes a two-tiered mechanism for binding credentials to the LDAP server.

  • The initial bind performs a Distinguished Name (DN) lookup using an admin account that you specify in the following parameters:

    "webapp.ldap.server.bindDN"
    "webapp.ldap.server.bindCredentials"
  • The secondary bind uses the user's credentials.

Optionally, the Designer Cloud Powered by Trifacta platform can be configured to send the user's credentials for the initial bind to the active directory.

Note

Each user's credentials must be configured to be able to browse directory objects.

To enable initial binding using the user's credentials, please set the following configuration flag.

Steps:

  1. You can apply this change through the Admin Settings Page (recommended) or trifacta-conf.json. For more information, see Platform Configuration Methods.

  2. Locate the following parameter and set the value to true:

    "webapp.ldap.server.initialBindAsUser.enabled": false,
  3. In the following parameter, add the distinguished name pattern to use to complete the bind. Example:

    "webapp.ldap.server.initialBindAsUser.bindDnPattern": "uid={{username}},dc=example,dc=org",
  4. Save your changes and restart the platform.

Configure for Apache Reverse Proxy

Set up the reverse proxy

Please complete the following steps to enable and configure the Apache reverse proxy server on the Trifacta node.

Steps:

  1. Edit the following file:

    /opt/trifacta/pkg3p/tripache/conf/conf.d/trifacta.conf
  2. Add values for your LDAP environment for the following settings. For an Active Directory configuration, remove the comment from the first Define line and specify appropriate values for the following:

    ##################################################################################
    # Basic :  LDAP Configuration
    #
    # Active Directory Mode. Uncomment below to enable Active Directory compatibility
    #    Define ACTIVE_DIRECTORY "1"
    Define TF_LDAP_SERVER "ldap://SERVER:PORT"
    Define TF_LDAP_BASE_DN "<BASE_DN>"
    Define TF_LDAP_BIND_DN "<BIND_DN>"
    Define TF_LDAP_BIND_PASSWORD "<BIND_PASSWORD>"
  3. By default, SSO access occurs over port 2443. If needed, you can set the port number for user access in the following setting:

    Note

    This value should not be set to any value that conflicts with other ports in use by the Trifacta node. For more information, see System Ports.

    <VirtualHost *:2443>

    Note

    To complete the configuration to change the listening port, additional configuration is required after you complete this section. Instructions are in the following section.

  4. Save the file.

  5. Create an admin account. You can either:

    1. Connect to the application using an AD-linked ID. The first AD account to connect to the application is auto-registered as an admin account.

    2. Define an admin user under SSO. For more information, see Create Admin Account.

  6. Save your changes.

  7. Save the file and restart the platform. See Start and Stop the Platform.

Change Listening Port for Reverse Proxy SSO

By default, SSO access uses port number 2443. If you need to change that listening port, please complete the following steps.

Note

Please make sure that the listening port is not set to a value that conflicts with any of the other listening ports in use by the platform. For more information, see System Ports.

Steps:

  1. If you have not done so already, in trifacta.conf, please set the VirtualHost value to the appropriate port number. See previous instructions.

  2. Edit the following file:

    /opt/trifacta/pkg3p/tripache/conf/conf.d/httpd.conf
  3. Locate the following entries:

    #Listen 12.34.56.78:80
    Listen 2443
  4. Change the value for 2443 to be the value you set in trifacta.conf.

  5. Save the file.

  6. Perform any other necessary configuration before restarting the platform.

Platform configuration for reverse proxy

Please complete the following steps in the platform.

Steps:

  1. Administrators can apply this configuration change through the Admin Settings Page in the application. If the application is not available, the settings are available in trifacta-conf.json. For more information, see Platform Configuration Methods.

  2. Configure the following settings:

    Setting

    Description

    Value

    "webapp.sso.enable"

    Enables use of SSO by the Trifacta Application.

    Set this value to true.

    "webapp.sso.disableAuthGateway"

    This setting determines the SSO method to use.

    Set this value to false.

    "webapp.sso.enableAutoRegistration"

    Enables users to auto-register an account with the platform when they connect to the login page.

    To enable automatic access with SSO-authenticated users, set this value totrue. To require administrator provisioning of user accounts, set this value to false. For more information, see Manage Users under SSO.

  3. Save the file and restart the platform.

Use SSL for AD-LDAP SSO Auth

To enforce SSL connections to the platform when the AD-LDAP method of SSO authentication is in use, please complete the following additional steps:

Note

By default, the Tripache proxy server runs on port 2443. Standard SSL port communications is 443. However, since the proxy runs as the trifacta user, instead of root user, port numbers below 1000 are not available. The default port number for the proxy server is fine.

Steps:

  1. You must create an SSL certificate.

    Note

    In the following, complete the steps to generate the certificate only.

    For more information, see Install SSL Certificate.

  2. Install the certificate and key file in an area that is accessible to the trifacta user. Recommended location:

    /opt/trifacta/conf/
  3. Retain the paths to these two files.

  4. Edit the following file:

    opt/trifacta/pkg3p/tripache/conf/conf.d/trifacta.conf
  5. Locate the following configuration block:

    ########################################################################
    # Basic: SSL for Trifacta Webapp
    #  Uncomment below after generating certificate & key.
    #  SSLEngine on
    #  SSLCertificateFile "/opt/trifacta/server.crt"
    #  SSLCertificateKeyFile "/opt/trifacta/server.key"
    ########################################################################
    
  6. Uncomment the three configuration lines above.

  7. Insert the full path to the certificate file and the key file in the space provided.

  8. Save the file.

  9. Restart the platform.

Additional Configuration

Customize authentication form

When SSO is enabled, the default presented to users who are authenticating is very plain. If desired, you can customize the form using the following steps.

Steps:

  1. Modify the following file on the Trifacta node to suit your style for the login screen:

    /opt/trifacta/pkg3p/tripache/htdocs/login.html

    Note

    Do not modify the names of the form fields or the form action.

  2. Edit the following file:

    /opt/trifacta/pkg3p/tripache/conf/conf.d/trifacta.conf 
  3. Uncomment the line that contains the following:

    Define FORM_AUTH "1"
  4. Restart the platform.

  5. Test the login page.

AD-LDAP filtering for Reverse Proxy SSO

User access can be limited based on AD/LDAP attributes. Typical scenarios restrict access based on membership of a group or value of an attribute.

Managing Principal Case

As needed, you can configure the Designer Cloud Powered by Trifacta platform to force captured principal values to lowercase. This standardization is applied throughout the platform, which may prevent connectivity or impersonation issues due to case mismatches.

Steps:

  1. You can apply this change through the Admin Settings Page (recommended) or trifacta-conf.json. For more information, see Platform Configuration Methods.

  2. Locate the following parameters, which govern case conversion in the platform of the SSO and Hadoop principals for LDAP SSO:

    "webapp.ldap.mapping.ssoPrincipalToLowerCase": false,
    "webapp.ldap.mapping.hadoopPrincipalToLowerCase": true,
  3. To force conversion to lowercase, set these values to true.

  4. Save changes and restart the platform.

User Management

For more information, see Manage Users under SSO.