SAML Authentication
Configure SAML user authentication for Tamr, and change default Postgres credentials.
By default, Tamr uses local database-backed authentication and authorization.
If your deployment requires it, Tamr also supports SAML 2.0 for web-based, cross-domain single sign-on (SSO) access. When configured to use SAML 2.0, users are re-directed to authenticate to the Service Provider, here Tamr, using your Identity Provider .
In addition to configuring SSO with SAML, you may want to specify custom credentials for Postgres. For more information, see Postgres.
Configuring SSO Using SAML 2.0
To configure SSO using SAML 2.0:
- For each of the following configuration variables, set the configuration variable using the administration tool. See Creating or Updating a Configuration Variable.
- Restart Tamr and its dependencies. See Restarting Tamr and Its Dependencies.
Required Configuration Variables
TAMR_UNIFY_ENABLE_SAML
| Configuration Variable | Example Value |
|---|---|
| TAMR_UNIFY_ENABLE_SAML | true |
TAMR_SAML_SSO_LOCATION
| Configuration Variable | Example Value |
|---|---|
| TAMR_SAML_SSO_LOCATION | https://mycompany.com/IdP |
The URL of the Identity Provider that the user is directed to in order to initiate SSO (single sign-on) access.
TAMR_SAML_ENTITY_ID
| Configuration Variable | Example Value |
|---|---|
| TAMR_SAML_ENTITY_ID | https://tamr.mycompany.com |
The ID used to describe this Service Provider. Used by the Identity Provider to look up relevant metadata, such as the public key used to encrypt authenticated messages. This ID should be globally unique. We recommend setting it to the URL of the Tamr instance.
TAMR_SAML_PRINCIPAL_FIELD
| Configuration Variable | Example Value |
|---|---|
| TAMR_SAML_PRINCIPAL_FIELD | mycompany.nameid |
The field name in the Identity Provider response that represents the authenticated principal.
TAMR_SAML_AUTH_COMPARISON_TYPE
| Configuration Variable | Example Value |
|---|---|
| TAMR_SAML_AUTH_COMPARISON_TYPE | The default value is minimumPossible values are: exact, minimum, maximum, and better. |
The minimum authentication method strength required. It represents the RequestedAuthenticationContext comparison value in SAML and is based on the signicat.security-level value from the authentication method. For more information, see Specifying Authentication Contexts in SAML 2.0.
TAMR_SAML_COOKIE_DOMAIN
| Configuration Variable | Description and Value |
|---|---|
| TAMR_SAML_COOKIE_DOMAIN | The domain that should be used for setting the cookie that stores the Tamr authentication session. This should match the domain of the URL of the Tamr instance. For example, tamr.mycompany.com |
Optional Security Configuration
TAMR_SAML_IDP_CERTIFICATE_PATH
| Configuration Variable | Example Value |
|---|---|
| TAMR_SAML_IDP_CERTIFICATE_PATH | /path/to/certificate.crt |
Location of the certificate file on the Tamr local filesystem that is used to validate the response sent back from the Identity Provider. If empty, it is assumed that the Identity Provider server is sending unsigned data.
TAMR_SAML_ATTRIBUTE_DECRYPT_KEY_PATH
| Configuration Variable | Example Value |
|---|---|
| TAMR_SAML_ATTRIBUTE_DECRYPT_KEY_PATH | /path/to/decrypt/key/file |
The location of the public key file on Tamr local filesystem that decrypts the authentication response from the Identity Provider server, specifically the attributes. If it is empty, assume that the IdP server is sending unencrypted data. The matching private key is provided to the Identity Provider for its definition of this Service Provider in its metadata.
TAMR_SAML_AUTH_SIGNING_KEY_PATH
| Configuration Variable | Example Value |
|---|---|
| TAMR_SAML_AUTH_SIGNING_KEY_PATH | /path/to/signing/key/file |
The location of the private key file on the Tamr local filesystem that is used to sign authentication requests to the Identity Provider. The matching public key should be provided to the Identity Provider for its definition of this Service Provider in its metadata. If empty, it is assumed that the Service Provider will not sign its authentication requests.
| Configuration Variable | Description |
|---|---|
| TAMR_SAML_AUTH_CONTEXT_TYPE | The desired authentication method to use for signing in. |
For more information, see Specifying Authentication Contexts in SAML 2.0.
| Configuration Variable | Desciption |
|---|---|
| TAMR_SAML_NAME_ID_POLICY | The schema type policy for NameId when getting a response from the IdP. |
Optional User Information Configuration Variables
| Configuration Variable | Description and Value |
|---|---|
| TAMR_SAML_FIRST_NAME_FIELD | The field name in the SAML authentication response that represents the first name of the authenticated principal, such as mycompany.firstname. |
| TAMR_SAML_LAST_NAME_FIELD | mycompany.lastname |
| TAMR_SAML_EMAIL_FIELD | The field name in the SAML request's response that represents the email of the authenticated principal, such as mycomany.email. |
| TAMR_SAML_GROUP_MEMBERSHIP_FIELD | mycompany.groups |
Identity Provider response fields used for updating user information and authorization in Tamr.
Updated almost 5 years ago