Table of Contents

Search

  1. About the Security Guide
  2. Introduction to Informatica Security
  3. User Authentication
  4. LDAP Authentication
  5. Kerberos Authentication
  6. SAML Authentication for Informatica Web Applications
  7. Domain Security
  8. Security Management in Informatica Administrator
  9. Users and Groups
  10. Privileges and Roles
  11. Permissions
  12. Audit Reports
  13. Appendix A: Command Line Privileges and Permissions
  14. Appendix B: Custom Roles

User Authentication Overview

User Authentication Overview

User authentication in the Informatica domain depends on the type of authentication that you configure when you install the Informatica services.
The Informatica domain can use the following types of authentication to authenticate users in the Informatica domain:
  • Native user authentication
  • LDAP user authentication
  • Kerberos network authentication
  • Security Assertion Markup Language (SAML)-based single sign-on
Native user accounts are stored in the Informatica domain and can only be used within the Informatica domain.
LDAP and Kerberos and user accounts are stored in an LDAP directory service and are shared by applications within the enterprise.
SAML-based single sign-on authenticates users against account credentials stored in Microsoft Active Directory. Accounts are imported from Active Directory into a security domain within the Informatica domain.
You can select the type of authentication to use in the Informatica domain during installation. If you enable Kerberos authentication during installation, you must configure the Informatica domain to work with the Kerberos key distribution center (KDC). You must create the service principal names (SPN) required by the Informatica domain in the Kerberos principal database. The Kerberos principal database can be an LDAP directory service. You must also create keytab files for the SPNs and store it in the Informatica directory as required by the Informatica domain.
If you do not enable Kerberos authentication during installation, the installer configures the Informatica domain to use native authentication. After installation, you can set up a connection to an LDAP server and configure the Informatica domain to use LDAP authentication in addition to native authentication.
You can use native authentication and LDAP authentication together in the Informatica domain. The Service Manager authenticates the users based on the security domain. If a user belongs to the native security domain, the Service Manager authenticates the user in the domain configuration repository. If the user belongs to an LDAP security domain, the Service Manager passes the user name and password to the LDAP server for authentication.
You cannot use native authentication with Kerberos authentication. If the Informatica domain uses Kerberos authentication, all user accounts must be in LDAP security domains. The Kerberos server authenticates a user account when the user logs in to the network. The Informatica client applications use the credentials from the network login to authenticate users in the Informatica domain. Native groups and roles are still supported.
You can enable SAML-based single sign-on for Informatica web applications during installation, or after installation. However, you must complete all required set up tasks before enabling SAML-based single sign-on. You cannot enable SAML-based single sign-on in an Informatica domain configured to use Kerberos authentication.
When the Informatica domain resides on-premises and not on an AWS EC2 instance, you cannot use the EMRFS authentication protocol in integration with Amazon EMR..
You can encrypt the user-credential token with the unique site key. To encrypt the user-credential token, set the environment variable
infaEnableAdvancedEncryptionSchemeForCredential
to
true
. In case of native and LDAP user authentication, after successful user authentication, the encrypted credential token is used instead of user password.

0 COMMENTS

We’d like to hear from you!