Tamr Python Client and SAML User Accounts

Tamr Python Client and SAML User Accounts

Disclaimer: This illustrates a method through which the Tamr Python client can be used when authenticating as a SAML-only Tamr user account. This requires initiating the session in a browser via the Tamr UI and is probably not appropriate for the automation of Tamr pipelines with Python scripts. Those tasks should use a Tamr-managed user account if at all possible.

Typical usage of the Tamr Python client involves authentication via username and password login to a Tamr-managed account.

import tamr_unify_client as tuc

my_auth = tuc.auth.UsernamePasswordAuth("my_username", "my_password")
my_client = tuc.Client(host="localhost", auth=my_auth)

This will not work for SAML-based authentication. If you have used Tamr with a SAML-only account, you might have noticed that you are able to make API calls via Swagger, so long as you have logged into the Tamr UI. This is because a cookie is set in your browser at login that identifies the authenticated session you are using. This is used by any following requests you initiate either by clicking a button in the UI or in Swagger. (Which is also why you do not always need to set credentials to “Try it out”).

This same cookie can be leveraged to run Python scripts using the Tamr Client as a SAML-only user, in the following way:

  1. Log in to Tamr in your browser, following the appropriate SSO prompts.
  2. Open the list of cookies in your browser. For Chrome you can find this by clicking the “lock” icon to the left of the URL to open the following window.

Then click “Cookies” and expand the entry with your Tamr host. Find the value of authToken and copy it.

  1. During the creation of your Client, set a null auth but set this cookie.
import tamr_unify_client as tuc

my_client = tuc.Client(host="localhost", auth=None)
my_client.session.cookies.set("authToken", <content>)

Now my_client will work until the Tamr user session that was initiated is signed out manually or expires. However, because it will expire after a set time, it is again not recommended for use in regular/scheduled programmatic workflows.