Using an Identity Provider in Altus

If your organization uses an enterprise identity provider (IdP) that is compliant with Security Assertion Markup Language (SAML), you can set up identity federation with Cloudera Altus. Identity federation allows users within your organization to log in to Altus through the authentication system in your organization without registering with Cloudera or creating a Cloudera account.

Altus supports the SAML 2.0 standard. You can set up any identity provider for Altus that uses SAML 2.0.

Setting up an Altus Identity Provider

You can set up a maximum of 10 SAML 2.0-compliant identity providers in Altus.

Setting up an identity provider for Altus involves the following steps:
  1. The IdP administrator in your organization generates the SAML metadata that describes your enterprise IdP.
  2. The Altus administrator sets up the identity provider in Altus.
  3. The IdP administrator configures the enterprise IdP in your organization to work with Altus as a service provider.

Generating the Identity Provider Metadata

Use your enterprise IdP user interface to generate the identity provider SAML metadata file.

Altus has the following requirements for the identity provider SAML metadata file:
  • The file must be a valid XML file.
  • The metadata must include at least one IDPSSOdescriptor element.
  • The metadata must contain information about at least one valid x.509 certificate that can be used to verify signed assertions.
The following XML file example shows the elements to include in the identity provider SAML metadata file:
<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://www.IdP.com/entity_ID">
   <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
      <md:KeyDescriptor use="signing">
         <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
              <ds:X509Data><ds:X509Certificate>full_x509-certificate_string</ds:X509Certificate></ds:X509Data>
         </ds:KeyInfo>
      </md:KeyDescriptor>
      <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
      <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
           Location="https://application.IdP.com/app/.../sso/saml"/>
      <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" 
           Location="https://application.IdP.com/app/.../sso/saml"/>
   </md:IDPSSODescriptor>
</md:EntityDescriptor>

Setting Up the Identity Provider in Altus

In Altus, you must create an identity provider to capture the SAML metadata and connection information for your enterprise IdP. To create an identity provider in Altus, you must be an Altus account administrator or have the PowerUser role.

To create the Altus identity provider:
  1. Sign in to the Cloudera Altus console:

    https://console.altus.cloudera.com/

  2. In the IAM section of the side navigation panel, click Identity Providers.
  3. Click Create Identity Provider.
  4. On the Create Identity Provider window, enter the name you want to use for Altus identity provider.
  5. Select whether to synchronize the user group membership in Altus with the user group membership in your enterprise IdP.

    To synchronize the groups, select the Sync Groups on Login option.

    For more information about user group synchronization, see Group Membership Synchronization.

  6. In Provider Metadata, select File Upload to upload a file that contains the identity provider SAML metadata or select Direct Input to enter the identity provider SAML metadata directly.
  7. Click Create.

    Altus adds the new identity provider to the list of Altus identity providers on the Identity Providers page.

When Altus creates the identity provider, it generates the SSO URL that you need to set up Altus as a service provider in your enterprise IdP. After you create the identity provider in Altus, you can view its properties to get the information you need to configure your enterprise IdP to work with Altus.

On the Identity Providers page, click the name of the new Altus identity provider to see its properties:
Property Description
Name Name of the Altus identity provider.
ID ID generated for the Altus identity provider.
Sync Groups on Login

Indicates whether Altus synchronizes a user's group membership in Altus with the user's group membership in your enterprise IdP when a user logs in.

For more information about user group synchronization, see Group Membership Synchronization.

Single Sign-on URL

The SSO URL for Altus that your enterprise IdP must use to enable users to connect to Altus.

For example:

https://consoleauth.altus.cloudera.com/saml?samlProviderId=c983af87...c949580

The value for the samlProviderId parameter is the ID for the Altus identity provider generated by Altus.

CRN The Cloudera resource name assigned to the Altus identity provider.
Provider Metadata The identity provider SAML metadata for your enterprise IdP that you provided when you created the Altus identity provider.

Configuring your Enterprise IdP to Work with Altus as a Service Provider

Altus provides a service provider SAML metadata file that describes the information that Altus requires to enable users to log in to Altus through your enterprise IdP.

You can download the Altus SAML metadata XML file from the following location: https://altus.cloudera.com/iam/downloads/saml-metadata.xml

The Altus SAML metadata file includes the following information:
Information Attribute Description
Name ID formats that Altus supports NameIDFormat

The metadata includes multiple name ID formats. Use one of the formats in the list for the user ID.

Altus supports any type of name ID format other than transient. Cloudera requires that you use name ID formats that are globally unique within your identity provider. The name ID format should also be stable over time. Cloudera does not recommend using email addresses because, although they can be unique, they are typically not stable over time.

Altus SSO URL Location

The value provided for the Altus SSO URL in the Altus SAML metadata file is not complete, containing only the Altus domain. You must add the query parameter that includes the Altus identity provider ID:

https://consoleauth.altus.cloudera.com/saml?samlProviderId=Altus-assigned-ID

For more information about the ID that Altus generates and assigns to the Altus identity provider, see Setting Up the Identity Provider in Altus.

Required.

Endpoint for binding Binding

Use the following URN as the endpoint that your enterprise IdP must bind to:

urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

Required.

User email address RequestedAttribute: email

Set the email address attribute to the following URN:

urn:oid:0.9.2342.19200300.100.1.3

Required. Although Altus requires the user email address, it is used for display purposes only.

List of groups that the user is a member of RequestedAttribute: groups

Set the group list attribute to the following URN:

https://altus.cloudera.com/SAML/Attributes/groups

Optional. For more information about the group list and how Altus synchronizes group membership, see Group Membership Synchronization.

User first name RequestedAttribute: firstName

Set the user first name attribute to the following URN:

https://altus.cloudera.com/SAML/Attributes/firstName

Optional. Used for display purposes only.

User last name RequestedAttribute: lastName

Set the user last name attribute to the following URN:

https://altus.cloudera.com/SAML/Attributes/lastName

Optional. Used for display purposes only.

If your enterprise IdP allows it, you can upload the Altus SAML metadata file to your enterprise IdP. Otherwise, use your enterprise IdP user interface to set up Altus as a service provider.

Disabling the Cloudera SSO Login

After you complete the identity federation setup between Cloudera and your enterprise IdP, you can disable the Cloudera SSO login option if you do not want to allow users in your organization to log in to Altus through the Cloudera registration and login page.

When you disable Cloudera SSO login, Altus users must log in to Altus through the identity management system in your organization. Only the designated account administrator for your Altus subscription can log in to Altus through the Cloudera registration and login page. Altus account administrators can always use their Cloudera user account to log in to Cloudera and be directed to the Altus page. For more information about the Altus account administrator, see Altus Account Administrator.

To disable the Cloudera SSO login option:
  1. Sign in to the Cloudera Altus console:

    https://console.altus.cloudera.com/

  2. In the IAM section of the side navigation panel, click Identity Providers.

    The Identity Providers page shows the status of the Cloudera SSO Login option.

  3. Click Disable to prevent users from logging in through the Cloudera registration and login page.

    When the Cloudera SSO Login option is disabled, all Altus users except Altus account administrators must log in through the identity management system in your organization. To log in to Altus, a user must be among the users included in the identity providers that you set up in Altus.

Group Membership Synchronization

When a user initially logs in to Altus through the identity management system in your organization, Altus creates an Altus user account for the user. However, without being assigned Altus roles, the user cannot perform tasks in Altus. Cloudera recommends that you create Altus groups with assigned roles and add users to the groups so that the users can take on the roles assigned to the groups.

Altus can synchronize the user's group membership provided by your enterprise IdP with the user's group membership in Altus. When you create an identity provider, you can select the Sync Groups on Login option to enable Altus to synchronize the user group membership. By default, the Sync Groups on Login option is enabled. Clear the option selection if you do not want Altus to synchronize the user group membership.

Sync Groups on Login enabled
When the Sync Groups on Login option is enabled, Altus synchronizes a user's group in the following manner:
  • The group membership that your enterprise IdP specifies for a user overrides the group membership set up in Altus. Each time a user logs in, Altus updates the user's group membership based on the groups that your enterprise IdP specifies for the user.
  • If the group exists in Altus, Altus adds the user to the group. The user takes on all the roles associated with the group.
  • If the group does not exist in Altus, Altus creates the group and adds the user to the group. However, no roles are assigned to the new group, so a member of the new group does not take on roles from the group.
  • If the user is a member of a group in Altus that is not included in the list provided by your enterprise IdP, Altus removes the user from the group.
  • If the list of groups from your enterprise IdP is empty, Altus removes the user from all groups in Altus. After login, the user will not be a member of any Altus group and will not have roles from any group.

To ensure that users can perform tasks in Altus, Cloudera recommends that you set up the groups in Altus with appropriate roles before you assign them to users.

Sync Groups on Login disabled

When the Sync Groups on Login option is disabled, Altus does not synchronize the user's group membership in Altus with the user's group membership provided by the IdP. After login, a user's group membership in Altus is determined by the Altus groups assigned to the user in Altus. The groups assigned to the user in your enterprise IdP are ignored.

Updating an Identity Provider

You can update the group synchronization option and the provider metadata in an Altus identity provider. To update an identity provider in Altus, you must be an Altus account administrator or have the PowerUser role.

You might want to update the Altus identity provider to change the group synchronization option or if you want to update the list of x.509 certificates in the provider metadata.

To update the Altus identity provider:
  1. Sign in to the Cloudera Altus console:

    https://console.altus.cloudera.com/

  2. In the IAM section of the side navigation panel, click Identity Providers.
  3. Go to the name of the Altus identity provider you want to update and click the Actions button.
  4. Select Update Identity Provider.
  5. On the Identity Provider window, you can change the Sync Groups on Login option and the provider metadata. You cannot change the name of the Altus identity provider.
  6. Verify the updates and click OK.

    Altus updates the information for the Altus identity provider.