Cloudera Manager

Cloudera Manager is an end-to-end application for managing CDH clusters. The following is an overview of the steps required to configure the Cloudera Manager Web application for single sign-on (SSO) via SAML. Cloudera Manager offers both IdP-initiated SAML SSO (for SSO access through the Admin Portal) and SP-initiated SAML SSO (for SSO access directly through the Cloudera Manager web application).

  1. Prepare Cloudera Manager for single sign-on (see Cloudera Manager requirements for SSO).

  2. Add the application in the Centrify Admin Portal.

    For details, see Adding Cloudera Manager in Admin Portal.

  3. Configure the application for single sign-on in Centrify Admin Portal and on the Cloudera Manager web site.

    You will need to copy some settings from Application Settings in Centrify Admin Portal and paste them into fields on the Cloudera Manager website, and copy some settings from the Cloudera Manager website and paste them into Centrify Admin Portal. For details, see Configuring Cloudera Manager for single sign-on.

Cloudera Manager requirements for SSO

Before you configure the Cloudera Manager web application for SSO, you need the following:

  • Cloudera Enterprise installed.

  • An active Cloudera Manager account for your organization with Full Administrator and User Administrator roles.

  • A signed certificate.

  • Cloudera Security expects token a signing certificate in a Java KeyStore format. You can either use the token signing certificate that is available by default for your Privileged Access Service Instance or you can upload your organization's certificate in Centrify. Once you decide which token signing certificate to use, import that certificate in a Java KeyStore file. Cloudera Manager also expects its own Private Key in the same keystore file. Cloudera Manager uses this Private Key to sign the SAML request. For more information, see:

  • http://www.cloudera.com/documentation/enterprise/latest/topics/cm_sg_create_key_trust.html#xd_583c10bfdbd326ba--6eed2fb8-14349d04bee--779d

Setting up the certificates for SSO

To establish a trusted connection between the web application and the Privileged Access Service, you need to have the same signing certificate in both the application and the application settings in Admin Portal.

If you use your own certificate, you upload the signing certificate and its private key in a .pfx or .p12 file to the application settings in Admin Portal. You also upload the public key certificate in a .cer or .pem file to the web application.

What you need to know about Cloudera Manager

Each SAML application is different. The following table lists features and functionality specific to Cloudera Manager.

Capability

Supported?

Support details

Web browser client

Yes

 

Mobile client

No

 

SAML 2.0

Yes

 

SP-initiated SSO

Yes

 

IdP-initiated SSO

Yes

However, users can choose to disable this by unclicking Show in User App List in Cloudera Manager.

Force user login via SSO only

Yes

Once SAML SSO is enabled, all users are by default authenticated using SSO.

However, those users who already had a password set before SSO was enabled can login using this URL: http://<YOUR-CLOUDERA-MANAGER-FQDN>:7180/cmf/localLogin

Separate administrator login after SSO is enabled

Yes

After SSO is enabled, admin and other users who already have a password set or are created by the Administrator after SSO is enabled can login with this URL: http://<YOUR-CLOUDERA-MANAGER-FQDN>:7180/cmf/localLogin.

User or Administrator lockout risk

Yes

All external users that are created through User Provisioning will get blocked if there is any issue with the SSO integration.

The only users who can log in using the alternate URL http://<YOUR-CLOUDERA-MANAGER-FQDN>:7180/cmf/localLogin are those who have a password already set before SSO integration, or who are created by the Administrator after SSO is enabled.

Administrators can login with the alternate URL and unblock the users.

Multiple User Types

No

 

Self-service password

Yes

Regular users can reset their own passwords. Admins can reset user passwords. Users created through User Provisioning cannot reset their own passwords.

Access restriction using a corporate IP range

Yes

You can specify an IP Range in the Admin Portal Policy page to restrict access to the application.

Adding Cloudera Manager in Admin Portal

Configuring Cloudera Manager for single sign-on

Configuring single sign-on in Cloudera Manager

Note:   This section assumes that you have two browser tabs open so that you can copy and paste information back and forth between the two tabs as appropriate:

  • One tab open to the Application Settings page for the Cloudera Manager app in Centrify Admin Portal as described in Adding Cloudera Manager in Admin Portal. If this tab was accidentally closed, you can return to it by navigating to the Centrify Admin Portal and opening the Cloudera Manager app.

  • Another tab open to the Cloudera Manager web page as you are instructed below.

For more information about Cloudera Manager

For more information about configuring Cloudera Manager for SSO, contact Cloudera Manager support.