User GuidesAPI ReferenceRelease Notes
Doc HomeHelp CenterLog In
User Guides
Doc HomeHelp Center

SAML Authentication

Configure SAML user authentication for Tamr, and change default Postgres credentials.

Suggest Edits

By default, Tamr uses local database-backed authentication and authorization.

If your deployment requires it, Tamr also supports SAML 2.0 for web-based, cross-domain single sign-on (SSO). When configured to use SAML 2.0, users are re-directed to authenticate to the Service Provider, here Tamr, using your Identity Provider .

In addition to configuring SSO with SAML, you may want to specify custom credentials for Postgres. See Postgres.

Configuring SSO Using SAML 2.0

To configure SSO using SAML 2.0:

  1. For each of the following configuration variables, set the configuration variable using the admin tool. See Creating or Updating a Configuration Variable.
  2. Restart Unify and its dependencies. See Restarting.

Required Configuration Variables

TAMR_UNIFY_ENABLE_SAML

Configuration VariableExample Value
TAMR_UNIFY_ENABLE_SAMLtrue

TAMR_SAML_SSO_LOCATION

Configuration VariableExample Value
TAMR_SAML_SSO_LOCATIONhttps://mycompany.com/IdP

The URL of the Identity Provider that the user is directed to in order to initiate single sign-on.

TAMR_SAML_ENTITY_ID

Configuration VariableExample Value
TAMR_SAML_ENTITY_IDhttps://tamr.mycompany.com

The id used to describe the Service Provider, here specified as Tamr.

This id is used by the Identity Provider to look up relevant metadata and should be globally unique. We recommend setting it to the URL of the Tamr instance.

TAMR_SAML_PRINCIPAL_FIELD

Configuration VariableExample Value
TAMR_SAML_PRINCIPAL_FIELDmycompany.nameid

The field name in the Identity Provider response that represents the authenticated principal.

TAMR_SAML_AUTH_COMPARISON_TYPE

Configuration VariableExample Value
TAMR_SAML_AUTH_COMPARISON_TYPEThe default value is minimum
Possible values are: exact, minimum, maximum, and better.

The minimum authentication method strength required. It represents the RequestedAuthenticationContext comparison value in SAML and is based on the signicat.security-level value from the authentication method.

TAMR_SAML_COOKIE_DOMAIN

Configuration VariableExample Value
TAMR_SAML_COOKIE_DOMAINtamr.mycompany.com

The domain used for setting the cookie that stores the Tamr authenticated session. This should match the domain of the URL of the Tamr instance.

Optional Security Configuration

TAMR_SAML_IDP_CERTIFICATE_PATH

Configuration VariableExample Value
TAMR_SAML_IDP_CERTIFICATE_PATH/path/to/certificate.crt

Location of the certificate file on the Tamr local filesystem that is used to validate the response sent back from the Identity Provider. If empty, it is assumed that the Identity Provider server is sending unsigned data.

TAMR_SAML_ATTRIBUTE_DECRYPT_KEY_PATH

Configuration VariableExample Value
TAMR_SAML_ATTRIBUTE_DECRYPT_KEY_PATH/path/to/decrypt/key/file

Location of the public key file on Tamr local filesystem that decrypts the authentication response from the Identity Provider. The public key should be provided by the Identity Provider. If empty, it is assumed that the Identity Provider is sending unencrypted data.

TAMR_SAML_AUTH_SIGNING_KEY_PATH

Configuration VariableExample Value
TAMR_SAML_AUTH_SIGNING_KEY_PATH/path/to/signing/key/file

Location of the private key file on the Tamr local filesystem that is used to sign authentication requests to the Identity Provider. The matching public key should be provided to the Identity Provider. If empty, it is assumed that the Service Provider will not sign its authentication requests.

Optional User Information Configuration Variables

Configuration VariableExample Value
TAMR_SAML_FIRST_NAME_FIELDmycompany.firstname
TAMR_SAML_LAST_NAME_FIELDmycompany.lastname
TAMR_SAML_EMAIL_FIELDmycomany.email
TAMR_SAML_GROUP_MEMBERSHIP_FIELDmycompany.groups

Identity Provider response fields used for updating user information and authorization in Tamr.

Updated over 5 years ago

What’s Next