Communities
A collaborative platform to connect and grow with like-minded Informaticans across the globe
Product Communities
Connect and collaborate with Informatica experts and champions
Discussions
Have a question? Start a Discussion and get immediate answers you are looking for
User Groups
Customer-organized groups that meet online and in-person. Join today to network, share ideas, and get tips on how to get the most out of Informatica
Get Started
Community Guidelines
Knowledge Center
Troubleshooting documents, product guides, how to videos, best practices, and more
Knowledge Base
One-stop self-service portal for solutions, FAQs, Whitepapers, How Tos, Videos, and more
Support TV
Video channel for step-by-step instructions to use our products, best practices, troubleshooting tips, and much more
Documentation
Information library of the latest product documents
Velocity (Best Practices)
Best practices and use cases from the Implementation team
Learn
Rich resources to help you leverage full capabilities of our products
Trainings
Role-based training programs for the best ROI
Certifications
Get certified on Informatica products. Free, Foundation, or Professional
Product Learning Paths
Free and unlimited modules based on your expertise level and journey
Resources
Library of content to help you leverage the best of Informatica products
Tech Tuesdays Webinars
Most popular webinars on product architecture, best practices, and more
Product Availability Matrix
Product Availability Matrix statements of Informatica products
SupportFlash
Monthly support newsletter
Support Documents
Informatica Support Guide and Statements, Quick Start Guides, and Cloud Product Description Schedule
Product Lifecycle
End of Life statements of Informatica products
Ideas
Events
Change Request Tracking
Marketplace
English
  • Data Engineering Integration H2L
  • All Products

Table of Contents

Search

  1. Abstract
  2. Supported Versions
  3. Enabling SAML Authentication in an Informatica 10.2.x Domain

Enabling SAML Authentication in an Informatica 10.2.x Domain

Enabling SAML Authentication in an Informatica 10.2.x Domain

Back Next

Step 1. Create a Security Domain for Web Application User Accounts

Step 1. Create a Security Domain for Web Application User Accounts

Create a security domain for web application user accounts that will use SAML authentication, and then import each user's LDAP account from Active Directory into the domain.
You must import the LDAP accounts for all users that use SAML authentication into the security domain. After importing the accounts into the domain, assign the appropriate Informatica domain roles, privileges and permissions to the accounts within the LDAP security domain.
  1. In the Administrator tool, click the
    Users
     tab, and then select the
    Security
     view.
  2. Click the
    Actions
     menu and select
    LDAP Configuration
    .
    The
    LDAP Configuration
     dialog box opens.
  3. Click the
    LDAP Connectivity
     tab.
  4. Configure the connection properties for the Active Directory server.
    The following table describes the server connection properties:
    Property
    Description
    Server Name
    Host name or IP address of the Active Directory server.
    Port
    Listening port for the Active Directory server. The default value is 389.
    LDAP Directory Service
    Select Microsoft Active Directory.
    Name
    Distinguished name (DN) for the principal LDAP user. The user name often consists of a common name (CN), an organization (O), and a country (C). The principal user name is an administrative user with access to the directory. Specify a user that has permission to read other user entries in the directory service.
    Password
    Password for the principal LDAP user.
    Use SSL Certificate
    Indicates that the LDAP server uses the Secure Socket Layer (SSL) protocol.
    If the LDAP server uses SSL, you must import the certificate into a truststore file on every gateway node within the Informatica domain. You must also set the INFA_TRUSTSTORE and INFA_TRUSTSTORE_PASSWORD environment variables if you do not import the certificate into the default Informatica truststore.
    Trust LDAP Certificate
    Determines whether the Service Manager can trust the SSL certificate of the LDAP server. If selected, the Service Manager connects to the LDAP server without verifying the SSL certificate. If not selected, the Service Manager verifies that the SSL certificate is signed by a certificate authority before connecting to the LDAP server.
    Not Case Sensitive
    Indicates that the Service Manager must ignore case sensitivity for distinguished name attributes when assigning users to groups. Enable this option.
    Group Membership Attribute
    Name of the attribute that contains group membership information for a user. This is the attribute in the LDAP group object that contains the distinguished names (DNs) of the users or groups who are members of a group. For example,
    member
     or
    memberof
    .
    Maximum size
    Maximum number of user accounts to import into a security domain.
    If the number of user to be imported exceeds the value for this property, the Service Manager generates an error message and does not import any user. Set this property to a higher value if you have many users to import.
    The default value is 1000.
    The following image shows the connection details for an LDAP server set in the LDAP Connectivity panel of the
    LDAP Configuration
     dialog box.
    The LDAP Connectivity panel of the LDAP Configuration Dialog box contains the LDAP server connection properties.
  5. Click
    Test Connection
     to verify that the connection to the Active Directory server is valid.
  6. Click the
    Security Domains
     tab.
  7. Click
    Add
     to create a security domain.
  8. Enter the security domain properties.
    The following table describes the security domain properties:
    Property
    Description
    Security Domain
    Name of the LDAP security domain. The name is not case sensitive and must be unique within the domain. The name cannot exceed 128 characters or contain the following special characters:
    , + / < > @ ; \ % ?
    The name can contain an ASCII space character except for the first and last character. All other space characters are not allowed.
    User search base
    Distinguished name (DN) of the entry that serves as the starting point to search for user names in the LDAP directory service. The search finds an object in the directory according to the path in the distinguished name of the object.
    In Active Directory, the distinguished name of a user object might be cn=UserName,ou=OrganizationalUnit,dc=DomainName, where the series of relative distinguished names denoted by dc=DomainName identifies the DNS domain of the object.
    For example, to search the Users container that contains user accounts in the example.com Windows domain, specify CN=USERS,DC=EXAMPLE,DC=COM.
    User filter
    An LDAP query string that specifies the criteria for searching for users in Active Directory. The filter can specify attribute types, assertion values, and matching criteria.
    For Active Directory, format the query sting as:
    sAMAccountName=<account>
    Group search base
    Distinguished name (DN) of the entry that serves as the starting point to search for group names in Active Directory.
    Group filter
    An LDAP query string that specifies the criteria for searching for groups in the directory service.
    The following image shows the properties for an LDAP security domain named SAML_USERS set in the Security Domains panel of the
    LDAP Configuration
     dialog box. The user filter is set to import all users beginning with the letter "s".
    The Security Domains panel of the LDAP Configuration Dialog box contains the LDAP security domain properties.
  9. Click
    Synchonize Now
    .
    The security domain appears in the Users view.
  10. Expand the domain in the Navigator to view the imported user accounts.
  11. Set the appropriate roles, privileges, and permissions on the user accounts that will access each web application.
0 COMMENTS
We’d like to hear from you!