Mapping roles between SSO and Talend Cloud

Issue a POST request at the /security/role-mappings endpoint to create this kind of role mapping.

Before you begin

You have defined roles on your SSO platform, as explained in the documentation of your SSO provider, for example,
- https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-apps for Azure
- https://developer.okta.com/docs/concepts/role-assignment/ for Okta
You have configured your application in the system of your SSO provider and enabled SSO from Talend Management Console. For example,
- see Configuring SSO with Azure Active Directory for Azure
- see Configuring SSO with Okta for Okta
When configuring SSO for Talend Management Console, ensure to add the CustomerRoles user attribute along with the other SAML attributes, so that these roles are included in the SAML response file sent to Talend Management Console. For example,
- In Azure, use the pre-defined Azure user.assignedroles property as the value of CustomerRoles.
- In Okta, use comma (,) to separate multiple role names.
In the SAML response, these values are included in one of the following formats:
- In one single AttributeValue line,
```
<Attribute Name="CustomerRoles">
     <AttributeValue>BusinessUnitOperator,SuperAdminCorp</AttributeValue>
</Attribute>
```
- In multiple AttributeValue lines,
```
<Attribute Name="CustomerRoles">
   <AttributeValue>BusinessUnitOperator</AttributeValue>
   <AttributeValue>SuperAdminCorp</AttributeValue>
</Attribute>
```
The BusinessUnitOperator and SuperAdminCorp roles used in this snippet are for demonstration purposes only.
The user or service account to be used to issue the API request must have the TMC_SSO_MANAGEMENT permission.
Generate access tokens:
- For users, generate a personal access token by following Generating a Personal Access Token.
- For service accounts, generate a service access token by following Generating a service account token.
Once generated, a service account token expires after 30 minutes. If it expires, generate a new token using the POST method at the endpoint https://api.<env>.cloud.talend.com/security/oauth/token. For more information about generating a token, see Generating a service account token.

About this task

In this example, the customer roles to be mapped are Developer and Administrator. Note that these roles are for demonstration purposes only.

Procedure

Issue the following API call to define the role mapping:

Example

method: POST
endpoint: https://api.<env>.cloud.talend.com/security/role-mappings
headers: {
          "Content-Type": "application/json",
          "Authorization": "Bearer <your_personal_access_token_or_service_account_token>"
          }
payload: {
          [
            {
               "name":"Developer",
               "roles":[
                  "API Tester",
                  "API Designer"
                       ]
            },
            {
               "name":"Administrator",
               "roles":[
                  "Operator"
                       ]
            }
           ]
          }

Regarding the Talend Cloud roles, you can access the predefined list of roles, add new roles, manage role permissions, and assign roles to users in Users & Security > Roles in Talend Management Console. For further information, see Managing Roles.

Results

Once done, the role you assign to users in your SSO system will be synchronized with role assignment on Talend Cloud. In this example, a user with the SSO Developer role automatically obtains the API Tester and API Designer role of Talend Cloud.

Note that for any given user, the roles assigned using this role mapping override those assigned using Just-in-time user provisioning, a classic user identity provisioning option provided in Talend Management Console.

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – please let us know!

Leave your feedback here