SAML Authentication
Configuring SAML user authentication for Tamr Core.
By default, Tamr Core uses local database-backed authentication and authorization.
If your deployment requires it, Tamr Core supports SAML 2.0 for web-based, cross-domain single sign-on (SSO) access. When configured to use SAML 2.0, users are redirected to authenticate to the service provider, in this case Tamr Core, using your identity provider.
In addition to configuring SSO with SAML, you may want to specify custom credentials for PostgreSQL. For more information, see PostgreSQL.
Configuring SSO Using SAML 2.0
To configure SSO using SAML 2.0:
- For each of the configuration variables that follow, use the Tamr Core administrative utility to specify a value. See Setting Configuration Variables.
- Restart Tamr Core and its dependencies. See Restarting.
Required Configuration Variables
| Configuration Variable | Example and Description |
|---|---|
| TAMR_UNIFY_ENABLE_SAML | true |
| TAMR_SAML_SSO_LOCATION | https://mycompany.com/IdPThe URL of the Identity Provider that the user is directed to in order to initiate SSO (single sign-on) access. |
| TAMR_SAML_ENTITY_ID | https://tamr.mycompany.comThe ID used to describe this Service Provider. Used by the Identity Provider to look up relevant metadata, such as the public key used to encrypt authenticated messages. This ID should be globally unique. Tamr recommends setting it to the URL of the Tamr Core instance. |
| TAMR_SAML_AUTH_COMPARISON_TYPE | The default value is minimumPossible values are: exact, minimum, maximum, and better.The minimum authentication method strength required. It represents the RequestedAuthenticationContext comparison value in SAML and is based on the signicat.security-level value from the authentication method. For more information, see the Signicat documentation on specifying authentication contexts in SAML 2.0. |
Optional Configuration Variable
| Configuration Variable | Example and Description |
|---|---|
| TAMR_SAML_PRINCIPAL_FIELD | mycompany.nameidThe field name in the Identity Provider response that represents the authenticated principal. This variable is optional and only needs to be set as an attribute sent back by the SAML connector if you do not want to use the default value sent back by the SAML server, SAML_SUBJECT. |
Optional Security Configuration Variables
| Configuration Variable | Example and Description |
|---|---|
| TAMR_SAML_IDP_CERTIFICATE_PATH | /path/to/certificate.crtLocation of the certificate file on the Tamr Core local filesystem that is used to validate the response sent back from the Identity Provider. If empty, it is assumed that the Identity Provider server is sending unsigned data. You need to get the certificate from your IdP, copy it to the instance where Tamr Core is running, and provide the absolute path of the certificate to this configuration variable. Tamr does not provide the certificate file. Contact your IT Team to obtain this information. |
| TAMR_SAML_ATTRIBUTE_DECRYPT_KEY_PATH | /path/to/decrypt/key/fileThe location of the public key file on Tamr Core local filesystem that decrypts the authentication response from the Identity Provider server, specifically the attributes. If it is empty, assume that the IdP server is sending unencrypted data. The matching private key is provided to the Identity Provider for its definition of this Service Provider in its metadata. |
| TAMR_SAML_AUTH_SIGNING_KEY_PATH | /path/to/signing/key/fileThe location of the private key file on the Tamr Core local filesystem that is used to sign authentication requests to the Identity Provider. The matching public key should be provided to the Identity Provider for its definition of this Service Provider in its metadata. If empty, it is assumed that the Service Provider will not sign its authentication requests. |
| TAMR_SAML_AUTH_CONTEXT_TYPE | The desired authentication method to use for signing in. For more information, see Specifying Authentication Contexts in SAML 2.0. |
| TAMR_SAML_NAME_ID_POLICY | The schema type policy for NameId when getting a response from the IdP. |
User and Group Synchronization
- User synchronization between Tamr Core and SAML is "lazy", meaning that a user's account is added from SAML to Tamr Core only when that user first signs in to Tamr Core.
- Group synchronization. Once a user is logged into Tamr Core, they must belong to a group in SAML. By default, unauthorized users are not given a role.
Optional User Information Configuration Variables
| Configuration Variable | Example and Description |
|---|---|
| TAMR_SAML_FIRST_NAME_FIELD | The field name in the SAML authentication response that represents the first name of the authenticated principal, such as mycompany.firstname. |
| TAMR_SAML_LAST_NAME_FIELD | mycompany.lastname |
| TAMR_SAML_EMAIL_FIELD | The field name in the SAML request's response that represents the email of the authenticated principal, such as mycompany.email. |
| TAMR_SAML_GROUP_MEMBERSHIP_FIELD | mycompany.groups |
Identity provider response fields used for updating user information and authorization in Tamr Core.
Assertion Consumer Service (ACS) Endpoint
The authentication response from the SAML service requires an ACS URL or endpoint to send the response to Tamr Core. The ACS URL for the Tamr Core software is
http://<tamr_hostname>:<tamr_port>/sso/saml/consume or https://<tamr_https_url>/sso/saml/consume.
Updated about 1 year ago