Tamr Documentation

SAML Authentication

Configure SAML user authentication for Tamr.

By default, Tamr uses local database-backed authentication and authorization.

If your deployment requires it, Tamr also supports SAML 2.0 for web-based, cross-domain single sign-on (SSO) access. When configured to use SAML 2.0, users are re-directed to authenticate to the Service Provider, here Tamr, using your Identity Provider.

In addition to configuring SSO with SAML, you may want to specify custom credentials for PostgreSQL. For more information, see PostgreSQL.

Configuring SSO Using SAML 2.0

To configure SSO using SAML 2.0:

  1. For each of the configuration variables that follow, use the Tamr administrative utility to specify a value. See Setting Configuration Variables.
  2. Restart Tamr and its dependencies. See Restarting Tamr and Its Dependencies.

Required Configuration Variables

TAMR_UNIFY_ENABLE_SAML

Configuration Variable

Example Value

TAMR_UNIFY_ENABLE_SAML

true

TAMR_SAML_SSO_LOCATION

Configuration Variable

Example Value

TAMR_SAML_SSO_LOCATION

https://mycompany.com/IdP

The URL of the Identity Provider that the user is directed to in order to initiate SSO (single sign-on) access.

TAMR_SAML_ENTITY_ID

Configuration Variable

Example Value

TAMR_SAML_ENTITY_ID

https://tamr.mycompany.com

The ID used to describe this Service Provider. Used by the Identity Provider to look up relevant metadata, such as the public key used to encrypt authenticated messages. This ID should be globally unique. We recommend setting it to the URL of the Tamr instance.

TAMR_SAML_AUTH_COMPARISON_TYPE

Configuration Variable

Example Value

TAMR_SAML_AUTH_COMPARISON_TYPE

The default value is minimum
Possible values are: exact, minimum, maximum, and better.

The minimum authentication method strength required. It represents the RequestedAuthenticationContext comparison value in SAML and is based on the signicat.security-level value from the authentication method. For more information, see Specifying Authentication Contexts in SAML 2.0.

Optional Configuration

TAMR_SAML_PRINCIPAL_FIELD

Configuration Variable

Example Value

TAMR_SAML_PRINCIPAL_FIELD

mycompany.nameid

The field name in the Identity Provider response that represents the authenticated principal. This variable is optional and only needs to be set as an attribute sent back by the SAML connector if you do not want to use the default value sent back by the SAML server, SAML_SUBJECT.

Optional Security Configuration

TAMR_SAML_IDP_CERTIFICATE_PATH

Configuration Variable

Example Value

TAMR_SAML_IDP_CERTIFICATE_PATH

/path/to/certificate.crt

Location of the certificate file on the Tamr local filesystem that is used to validate the response sent back from the Identity Provider. If empty, it is assumed that the Identity Provider server is sending unsigned data.

TAMR_SAML_ATTRIBUTE_DECRYPT_KEY_PATH

Configuration Variable

Example Value

TAMR_SAML_ATTRIBUTE_DECRYPT_KEY_PATH

/path/to/decrypt/key/file

The location of the public key file on Tamr local filesystem that decrypts the authentication response from the Identity Provider server, specifically the attributes. If it is empty, assume that the IdP server is sending unencrypted data. The matching private key is provided to the Identity Provider for its definition of this Service Provider in its metadata.

TAMR_SAML_AUTH_SIGNING_KEY_PATH

Configuration Variable

Example Value

TAMR_SAML_AUTH_SIGNING_KEY_PATH

/path/to/signing/key/file

The location of the private key file on the Tamr local filesystem that is used to sign authentication requests to the Identity Provider. The matching public key should be provided to the Identity Provider for its definition of this Service Provider in its metadata. If empty, it is assumed that the Service Provider will not sign its authentication requests.

Configuration Variable

Description

TAMR_SAML_AUTH_CONTEXT_TYPE

The desired authentication method to use for signing in.

For more information, see Specifying Authentication Contexts in SAML 2.0.

Configuration Variable

Desciption

TAMR_SAML_NAME_ID_POLICY

The schema type policy for NameId when getting a response from the IdP.

User and Group Synchronization

  • User synchronization between Tamr and SAML is "lazy", meaning that a user's account is added from SAML to Tamr only when that user first logs into Tamr.
  • Group synchronization. Once a user is logged into Tamr, they must belong to a group in SAML. By default, unauthorized users are not given a role.

Optional User Information Configuration Variables

Configuration Variable

Description and Value

TAMR_SAML_FIRST_NAME_FIELD

The field name in the SAML authentication response that represents the first name of the authenticated principal, such as mycompany.firstname.

TAMR_SAML_LAST_NAME_FIELD

mycompany.lastname

TAMR_SAML_EMAIL_FIELD

The field name in the SAML request's response that represents the email of the authenticated principal, such as mycompany.email.

TAMR_SAML_GROUP_MEMBERSHIP_FIELD

mycompany.groups

Identity Provider response fields used for updating user information and authorization in Tamr.

Assertion Consumer Service (ACS) Endpoint

The authentication response from the SAML service requires an ACS URL or endpoint to send the response to Tamr. The ACS URL for the Tamr software is
<tamr_hostname>:<tamr_port>/sso/saml/consume.

Updated 4 months ago



SAML Authentication


Configure SAML user authentication for Tamr.

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.