Manage OAuth Authentication
Configuration of Talend Data Catalog to support an external SSO environment requires working with your System Administrator. In this mode, the system default login page is disabled and not presented. It must be replaced by an external authentication login system.
Administrators can always login even in External Authentication Mode using the dedicated administrator rescue login URL: http://localhost:<port>/MM/Auth?nativeLogin, where <port> is the http port that Talend Data Catalog responds to.
The OAuth specification defines a delegation protocol that is useful for conveying authorization decisions across a network of web-enabled applications and APIs. OAuth is used in a wide variety of applications, including providing mechanisms for user authentication.
Talend Data Catalog supports the OAuth 2.0 protocol for external authentication.
Upon external authentication (OAuth), a valid user is created in the system (if not already there) based upon those credentials from the external authentication authority and will then be in MANAGE > Users. Thus, there is no need to import users in these external authentication scenarios.
Set OAuth Authentication
Steps
- Sign in as a user with at least the Security Administratorcapability global role assignment.
- Go to MANAGE > Users in the banner.
- Select OAuth from the Authentication pull-down.
Example
Sign in as Administrator.
Go to Tools > Administration > Users.
Select OAuth from the Authentication pull-down.
Configure OAuth Authentication
Steps
- Sign in as a user with at least the Security Administratorcapability global role assignment.
- Go to MANAGE > Users in the banner.
- Select OAuth from the Authentication pull-down.
- Click ConfigureAuthentication.
Example
Sign in as an Administrator.
Go to MANAGE > Users in the banner.
Select OAuth from the Authentication pull-down.
Click Configure Authentication.
Configure the OAuth Server
In order to enable an external authentication server using the OAuth 2.0 protocol, the Administrator needs to configure the OAUTH server. The following example shows the Configure OAUTH Server editor parameters using the Google server.
Steps
- Sign in as a user with at least theApplication Administratorcapability global role assignment.
- Go to MANAGE > Users in the banner.
- Click ConfigureAuthentication.
- Go to the Connection tab.
Example
The user needs to obtain OAuth 2.0 client credentials, such as Client Id, Client Secret from the external authentication server, such as Google and Facebook.
Besides the Client Id and Client Secret, the OAUTH Server configuration also requires the external authentication server Authentication URI, token URI and a few other parameters:
- Authentication URI: a URI on the external authentication server that handles the user authentication. The result is an authorization code, which the application can exchange for an access token and a refresh token.
- Token URI: a URI on the external authentication server that exchanges the authentication code for an access token.
- Validation URI: a URI on the external authentication server that validates the access token and provides access to the user’s account
- Scope: One or more scope values indicating which parts of the user’s account an access token permits.
Go to the Attribute Mappings tab to define user attribute mappings.
Go to the Group Assignment tab to auto-assign groups based upon the OAuth security model.
Add an External Authentication User
External authentication users are automatically created/updated by successful external authentication login. They are assigned groups according to the rules provided by the authentication system, or the guest group by default.
One may specify additional group assignments manually (see Assign a group to a user).
Request Headers
The Request Headers tab specifies extra parameters to be added in the HTTP requests to the external authentication server by Talend Data Catalog .
Steps
- Sign in as a user with at least theApplication Administratorcapability global role assignment
- Go to MANAGE > Users in the banner.
- Click ConfigureAuthentication.
- Go to the Request Headers tab.
- Click the Add action icon.
OAuth authentication workflow
- A Client submits an authentication request via the User Interface of a Resource Server
- The Resource Server presents the Client with an Authorization Grant, and redirects the Client to the Authorization Server
- The Client requests an Access Token from the Authorization Server using the Authorization Grant Code
- The Client logs in to the Authorization Server, and if the code is valid, the Client gets an Access Token that can be used to request a protected resource from the Resource Server
- After receiving a request for a protected resource with an accompanying Access Token, the Resource Server verifies the validity of the token directly with the Authorization Server
- If the token was valid, the Authorization Server sends information about the Client to the Resource Server
Signing in with Google
In this case the Talend Data Catalog application server is the Resource Server, the Google Authorization Server is the Authorization Server, and the end user is the Client. The OAuth server configuration parameters should look like those in the screenshots in the Configure the OAuth Server section.
Once you have specified OAuth External Authentication Mode
- Talend Data Catalog presents the end user with an Authorization Grant, and redirects the end user to the Google Authorization Server’s Authentication URI https://accounts.google.com/o/oauth2/auth. The scope values “email profile” indicates that we are not requesting access to the user’s Google data, just wanting to know the user’s email address and basic profile information.
- The end user requests an Access Token from the Google Authorization Server’s Token URI https://accounts.google.com/o/oauth2/token, using the Authorization Grant Code.
- The end user logs in to the Google Authorization Server, and if the code is valid, the end user gets an Access Token that can be used to request a protected resource from Talend Data Catalog .
- After receiving a request for a protected resource with an accompanying Access Token, Talend Data Catalog verifies the validity of the token and gets the user’s name and other profile info directly with the Google Authorization Server by sending a validation request to the Google Authorization Server’s Validation/User Info URI https://www.googleapis.com/oauth2/v3/userinfo using the Access token.
- If the access token is valid, the Google Authorization Server sends information about the end user based on the scope values to Talend Data Catalog . Below is an example of the data in JSON.
{ "sub": "110248495921238986420",
"name": "Aaron Parecki",
"given_name": "Aaron",
"family_name": "Parecki",
"picture": "https://lh4.googleusercontent.com/-kw-iMgD_j34/AAAAAAAAAAI/AAAAAAAAAAc/P1YY91tzesU/photo.jpg",
"email": "aaron.parecki@okta.com",
"email_verified": true,
"locale": "en",
"hd": "okta.com"
}
Using the given User Attribute Mapping, Google's name attribute is mapped to this products login and full name attributes, Google's sub attribute is mapped to distinguished name attribute in Talend Data Catalog , Google's email attribute is mapped to email attribute in Talend Data Catalog .
- Talend Data Catalog logs the end user into the system and grants the protected resource to the user based on the end user’s roles.
Signing in with Microsoft Azure Active Directory Web API
In this case the server at Talend Data Catalog is the Resource Server, the Azure Active Directory (Azure AD) Web API is the Authorization Server, and the end user is the Client. The OAuth server configuration parameters look like the following:
The {tenant} value in the path of the request can be used to control who can sign into the application. The allowed values are tenant identifiers, for example, 8eaef023-2b34-4da1-9baa-8bc8c9d6a490 or contoso.onmicrosoft.com or common for tenant-independent tokens. The OAuth authentication workflow with Azure AD Web API is similar to the workflow with the Google Authorization Server.