By default, Tamr uses local database-backed authentication and authorization.
If your deployment requires it, Tamr also supports SAML 2.0 for web-based, cross-domain single sign-on (SSO) access. When configured to use SAML 2.0, users are re-directed to authenticate to the Service Provider, here Tamr, using your Identity Provider.
In addition to configuring SSO with SAML, you may want to specify custom credentials for PostgreSQL. For more information, see PostgreSQL.
To configure SSO using SAML 2.0:
- For each of the configuration variables that follow, use the Tamr administrative utility to specify a value. See Setting Configuration Variables.
- Restart Tamr and its dependencies. See Restarting Tamr and Its Dependencies.
The URL of the Identity Provider that the user is directed to in order to initiate SSO (single sign-on) access.
The ID used to describe this Service Provider. Used by the Identity Provider to look up relevant metadata, such as the public key used to encrypt authenticated messages. This ID should be globally unique. We recommend setting it to the URL of the Tamr instance.
The default value is
The minimum authentication method strength required. It represents the
RequestedAuthenticationContext comparison value in SAML and is based on the
signicat.security-level value from the authentication method. For more information, see Specifying Authentication Contexts in SAML 2.0.
The field name in the Identity Provider response that represents the authenticated principal. This variable is optional and only needs to be set as an attribute sent back by the SAML connector if you do not want to use the default value sent back by the SAML server,
Location of the certificate file on the Tamr local filesystem that is used to validate the response sent back from the Identity Provider. If empty, it is assumed that the Identity Provider server is sending unsigned data.
The location of the public key file on Tamr local filesystem that decrypts the authentication response from the Identity Provider server, specifically the attributes. If it is empty, assume that the IdP server is sending unencrypted data. The matching private key is provided to the Identity Provider for its definition of this Service Provider in its metadata.
The location of the private key file on the Tamr local filesystem that is used to sign authentication requests to the Identity Provider. The matching public key should be provided to the Identity Provider for its definition of this Service Provider in its metadata. If empty, it is assumed that the Service Provider will not sign its authentication requests.
The desired authentication method to use for signing in.
For more information, see Specifying Authentication Contexts in SAML 2.0.
The schema type policy for NameId when getting a response from the IdP.
- User synchronization between Tamr and SAML is "lazy", meaning that a user's account is added from SAML to Tamr only when that user first logs into Tamr.
- Group synchronization. Once a user is logged into Tamr, they must belong to a group in SAML. By default, unauthorized users are not given a role.
Description and Value
The field name in the SAML authentication response that represents the first name of the authenticated principal, such as
The field name in the SAML request's response that represents the email of the authenticated principal, such as
Identity Provider response fields used for updating user information and authorization in Tamr.
The authentication response from the SAML service requires an ACS URL or endpoint to send the response to Tamr. The ACS URL for the Tamr software is
Updated 4 months ago