By default, Tamr uses local database-backed authentication and authorization.

If your deployment requires it, Tamr also supports SAML 2.0 for web-based, cross-domain single sign-on (SSO) access. When configured to use SAML 2.0, users are re-directed to authenticate to the Service Provider, here Tamr, using your Identity Provider.

In addition to configuring SSO with SAML, you may want to specify custom credentials for PostgreSQL. For more information, see PostgreSQL.

Configuring SSO Using SAML 2.0

To configure SSO using SAML 2.0:

1. For each of the configuration variables that follow, use the Tamr administrative utility to specify a value. See Setting Configuration Variables.
2. Restart Tamr and its dependencies. See Restarting Tamr and Its Dependencies.

Required Configuration Variables

TAMR_UNIFY_ENABLE_SAML

TAMR_SAML_SSO_LOCATION

The URL of the Identity Provider that the user is directed to in order to initiate SSO (single sign-on) access.

TAMR_SAML_ENTITY_ID

The ID used to describe this Service Provider. Used by the Identity Provider to look up relevant metadata, such as the public key used to encrypt authenticated messages. This ID should be globally unique. We recommend setting it to the URL of the Tamr instance.

TAMR_SAML_AUTH_COMPARISON_TYPE

The minimum authentication method strength required. It represents the RequestedAuthenticationContext comparison value in SAML and is based on the signicat.security-level value from the authentication method. For more information, see Specifying Authentication Contexts in SAML 2.0.

Optional Configuration

TAMR_SAML_PRINCIPAL_FIELD

The field name in the Identity Provider response that represents the authenticated principal. This variable is optional and only needs to be set as an attribute sent back by the SAML connector if you do not want to use the default value sent back by the SAML server, SAML_SUBJECT.

Optional Security Configuration

TAMR_SAML_IDP_CERTIFICATE_PATH

Location of the certificate file on the Tamr local filesystem that is used to validate the response sent back from the Identity Provider. If empty, it is assumed that the Identity Provider server is sending unsigned data.

TAMR_SAML_ATTRIBUTE_DECRYPT_KEY_PATH

The location of the public key file on Tamr local filesystem that decrypts the authentication response from the Identity Provider server, specifically the attributes. If it is empty, assume that the IdP server is sending unencrypted data. The matching private key is provided to the Identity Provider for its definition of this Service Provider in its metadata.

TAMR_SAML_AUTH_SIGNING_KEY_PATH

The location of the private key file on the Tamr local filesystem that is used to sign authentication requests to the Identity Provider. The matching public key should be provided to the Identity Provider for its definition of this Service Provider in its metadata. If empty, it is assumed that the Service Provider will not sign its authentication requests.

For more information, see Specifying Authentication Contexts in SAML 2.0.

User and Group Synchronization

• User synchronization between Tamr and SAML is "lazy", meaning that a user's account is added from SAML to Tamr only when that user first logs into Tamr.
• Group synchronization. Once a user is logged into Tamr, they must belong to a group in SAML. By default, unauthorized users are not given a role.

Optional User Information Configuration Variables

Identity Provider response fields used for updating user information and authorization in Tamr.

Assertion Consumer Service (ACS) Endpoint

The authentication response from the SAML service requires an ACS URL or endpoint to send the response to Tamr. The ACS URL for the Tamr software is
<tamr_hostname>:<tamr_port>/sso/saml/consume.