Skip to main content Skip to complementary content

Enabling SSO in Talend Management Console

Configure SSO on your Talend Cloud platform after setting up an application on your SSO provider side.

Before you begin

  • You must have the Security Administrator role in Talend Management Console.
  • You must have the metadata file obtained from the SSO provider.

Procedure

  1. Log in to Talend Management Console.
  2. On the top of the Users&Security page, click Authentication.
  3. Click Configuration.
  4. Enter the SSO provider domain name in the Organization URL field.
    Find this URL in the Identity Provider Single Sign-On URL field of the Applications tab in Okta.
  5. Upload the metadata file you downloaded from the SSO application configuration by clicking the Upload icon.
  6. Inspect the default User attributes. If needed, edit them to match the application configuration specified on the SSO provider side.
    These attributes are propagated to the SAML token used to authenticate users. The application configuration on the SSO provider side must specify these attributes as well as two other attributes:
    • The TalendCloudDomainName attribute that indicates your Talend Cloud domain. You can find the domain name in the Domain field of the Subscription page of your Talend Management Console.
    • The NameId Format attribute that indicates the email address format.
  7. Click Test to check your configuration.
    Information noteNote: The test checks that the provided URL and metadata file are valid. It does not guarantee that logging in through this SSO configuration will work.
  8. Optional: Set up user provisioning to automatically create users in Talend Management Console when logging in to a Talend Cloud application via the identity provider.
    • It is recommended to set up SCIM provisioning in your identity provider and map roles between this provider and Talend Cloud. This is the most robust mechanism. For further information, see this example. For demonstration purposes, Azure AD is used as identity provider in the linked example.

      If the Just-in-time user provisioning option is already used when you set up the role mapping, for any given user, the roles assigned by this role mapping override those provided by the just-in-time option.

    • Alternatively, you can toggle the Just-in-time user provisioning option ON in Talend Management Console. This is the classic option provided by Talend Cloud.
      With the Just-in-time user provisioning option, select the default roles to be assigned to every automatically created user. Users are identified using the following format: EmailUsername.EmailDomainName@TalendCloudDomainName. For example, if a user's email is ychen@company.com and they operate in a Talend Cloud domain called support.company.com, their identification is ychen.company.com@support.company.com.
      Information noteNote: Make sure that the selected set of default roles poses no security risk for your platform.
  9. Optional: Customize the logout URL. For example, redirect users to a specific page. By default, users are redirected to the Talend Cloud login page when they log out.
    For more information on the format to use for this URL, see the documentation of your SSO provider.
  10. Click Save and Activate.

Results

You can now assign users to this application. They are then able to log in to Talend Cloud through SSO.

Information noteNote: Unless the Just-in-time user provisioning option is enabled, you must add users manually on the SSO provider side. If these users already existed in Talend Cloud, make sure that the email address used is the same.

After single sign-on is enabled, you must generate an Access Token in Talend Cloud and use this token inside Talend Studio. For further information about how to generate a token in Talend Cloud, see Generating a Personal Access Token.

Only users with the Security Administrator role can log in to Talend Cloud without using the identity provider.

As a Security Administrator, you can disable the active SSO configuration at any time from this Authentication page by toggling the External single sign-on provider option off. As a consequence, users can only login using their Talend Cloud username and password. The previous configuration is still saved if you want to enable it again.

What to do next

When the SSO certificate is renewed on your SSO provider side, you must update this certificate on your Talend Cloud platform.

To do this, download the metadata file from your SSO provider again and upload it to Talend Management Console by following the same procedure described above.

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – please let us know!