SAML Authentication
Configuring SAML user authentication for Tamr Core.
By default, Tamr Core uses local database-backed authentication and authorization.
If your deployment requires it, Tamr Core supports SAML 2.0 for web-based, cross-domain single sign-on (SSO) access. When configured to use SAML 2.0, users are redirected to authenticate to the service provider, in this case Tamr Core, using your identity provider.
In addition to configuring SSO with SAML, you may want to specify custom credentials for PostgreSQL. For more information, see PostgreSQL.
Configuring SSO Using SAML 2.0
To configure SSO using SAML 2.0:
- For each of the configuration variables that follow, use the Tamr Core administrative utility to specify a value. See Setting Configuration Variables.
- Restart Tamr Core and its dependencies. See Restarting.
Required Configuration Variables
Configuration Variable | Example and Description |
---|---|
TAMR_UNIFY_ENABLE_SAML |
|
TAMR_SAML_SSO_LOCATION |
|
TAMR_SAML_ENTITY_ID |
|
TAMR_SAML_AUTH_COMPARISON_TYPE | The default value is |
Optional Configuration Variable
Configuration Variable | Example and Description |
---|---|
TAMR_SAML_PRINCIPAL_FIELD |
|
Optional Security Configuration Variables
Configuration Variable | Example and Description |
---|---|
TAMR_SAML_IDP_CERTIFICATE_PATH |
|
TAMR_SAML_ATTRIBUTE_DECRYPT_KEY_PATH |
|
TAMR_SAML_AUTH_SIGNING_KEY_PATH |
|
TAMR_SAML_AUTH_CONTEXT_TYPE | The desired authentication method to use for signing in. |
TAMR_SAML_NAME_ID_POLICY | The schema type policy for NameId when getting a response from the IdP. |
User and Group Synchronization
- User synchronization between Tamr Core and SAML is "lazy", meaning that a user's account is added from SAML to Tamr Core only when that user first signs in to Tamr Core.
- Group synchronization. Once a user is logged into Tamr Core, they must belong to a group in SAML. By default, unauthorized users are not given a role.
Optional User Information Configuration Variables
Configuration Variable | Example and Description |
---|---|
TAMR_SAML_FIRST_NAME_FIELD | The field name in the SAML authentication response that represents the first name of the authenticated principal, such as |
TAMR_SAML_LAST_NAME_FIELD |
|
TAMR_SAML_EMAIL_FIELD | The field name in the SAML request's response that represents the email of the authenticated principal, such as |
TAMR_SAML_GROUP_MEMBERSHIP_FIELD |
|
Identity provider response fields used for updating user information and authorization in Tamr Core.
Assertion Consumer Service (ACS) Endpoint
The authentication response from the SAML service requires an ACS URL or endpoint to send the response to Tamr Core. The ACS URL for the Tamr Core software is
http://<tamr_hostname>:<tamr_port>/sso/saml/consume
or https://<tamr_https_url>/sso/saml/consume
.
Updated about 2 months ago