User GuidesAPI ReferenceRelease Notes
Doc HomeHelp CenterLog In

SAML Authentication

Configuring SAML user authentication for Tamr Core.

By default, Tamr Core uses local database-backed authentication and authorization.

If your deployment requires it, Tamr Core supports SAML 2.0 for web-based, cross-domain single sign-on (SSO) access. When configured to use SAML 2.0, users are redirected to authenticate to the service provider, in this case Tamr Core, using your identity provider.

In addition to configuring SSO with SAML, you may want to specify custom credentials for PostgreSQL. For more information, see PostgreSQL.

Configuring SSO Using SAML 2.0

To configure SSO using SAML 2.0:

  1. For each of the configuration variables that follow, use the Tamr Core administrative utility to specify a value. See Setting Configuration Variables.
  2. Restart Tamr Core and its dependencies. See Restarting.

Required Configuration Variables

Configuration VariableExample and Description
TAMR_UNIFY_ENABLE_SAMLtrue
TAMR_SAML_SSO_LOCATIONhttps://mycompany.com/IdP
The URL of the Identity Provider that the user is directed to in order to initiate SSO (single sign-on) access.
TAMR_SAML_ENTITY_IDhttps://tamr.mycompany.com
The ID used to describe this Service Provider. Used by the Identity Provider to look up relevant metadata, such as the public key used to encrypt authenticated messages. This ID should be globally unique. Tamr recommends setting it to the URL of the Tamr Core instance.
TAMR_SAML_AUTH_COMPARISON_TYPEThe default value is minimum
Possible values are: exact, minimum, maximum, and better.
The minimum authentication method strength required. It represents the RequestedAuthenticationContext comparison value in SAML and is based on the signicat.security-level value from the authentication method. For more information, see the Signicat documentation on specifying authentication contexts in SAML 2.0.

Optional Configuration Variable

Configuration VariableExample and Description
TAMR_SAML_PRINCIPAL_FIELDmycompany.nameid
The field name in the Identity Provider response that represents the authenticated principal. This variable is optional and only needs to be set as an attribute sent back by the SAML connector if you do not want to use the default value sent back by the SAML server, SAML_SUBJECT.

Optional Security Configuration Variables

Configuration VariableExample and Description
TAMR_SAML_IDP_CERTIFICATE_PATH/path/to/certificate.crt
Location of the certificate file on the Tamr Core local filesystem that is used to validate the response sent back from the Identity Provider. If empty, it is assumed that the Identity Provider server is sending unsigned data.
You need to get the certificate from your IdP, copy it to the instance where Tamr Core is running, and provide the absolute path of the certificate to this configuration variable. Tamr does not provide the certificate file. Contact your IT Team to obtain this information.
TAMR_SAML_ATTRIBUTE_DECRYPT_KEY_PATH/path/to/decrypt/key/file
The location of the public key file on Tamr Core local filesystem that decrypts the authentication response from the Identity Provider server, specifically the attributes. If it is empty, assume that the IdP server is sending unencrypted data. The matching private key is provided to the Identity Provider for its definition of this Service Provider in its metadata.
TAMR_SAML_AUTH_SIGNING_KEY_PATH/path/to/signing/key/file
The location of the private key file on the Tamr Core local filesystem that is used to sign authentication requests to the Identity Provider. The matching public key should be provided to the Identity Provider for its definition of this Service Provider in its metadata. If empty, it is assumed that the Service Provider will not sign its authentication requests.
TAMR_SAML_AUTH_CONTEXT_TYPEThe desired authentication method to use for signing in.
For more information, see Specifying Authentication Contexts in SAML 2.0.
TAMR_SAML_NAME_ID_POLICYThe schema type policy for NameId when getting a response from the IdP.

User and Group Synchronization

  • User synchronization between Tamr Core and SAML is "lazy", meaning that a user's account is added from SAML to Tamr Core only when that user first signs in to Tamr Core.
  • Group synchronization. Once a user is logged into Tamr Core, they must belong to a group in SAML. By default, unauthorized users are not given a role.

Optional User Information Configuration Variables

Configuration VariableExample and Description
TAMR_SAML_FIRST_NAME_FIELDThe field name in the SAML authentication response that represents the first name of the authenticated principal, such as mycompany.firstname.
TAMR_SAML_LAST_NAME_FIELDmycompany.lastname
TAMR_SAML_EMAIL_FIELDThe field name in the SAML request's response that represents the email of the authenticated principal, such as mycompany.email.
TAMR_SAML_GROUP_MEMBERSHIP_FIELDmycompany.groups

Identity provider response fields used for updating user information and authorization in Tamr Core.

Assertion Consumer Service (ACS) Endpoint

The authentication response from the SAML service requires an ACS URL or endpoint to send the response to Tamr Core. The ACS URL for the Tamr Core software is
http://<tamr_hostname>:<tamr_port>/sso/saml/consume or https://<tamr_https_url>/sso/saml/consume.