User Authentication Overview
User authentication in the Informatica domain depends on the type of authentication that you configure when you install the Informatica services.
The Informatica domain can use the following types of authentication to authenticate users in the Informatica domain:
- Native user authentication
- LDAP user authentication
- Kerberos network authentication
- Security Assertion Markup Language (SAML)-based single sign-on
Native user accounts are stored in the Informatica domain and can only be used within the Informatica domain.
LDAP and Kerberos and user accounts are stored in an LDAP directory service and are shared by applications within the enterprise.
SAML-based single sign-on authenticates users against account credentials stored in Microsoft Active Directory. Accounts are imported from Active Directory into a security domain within the Informatica domain.
You can select the type of authentication to use in the Informatica domain during installation. If you enable Kerberos authentication during installation, you must configure the Informatica domain to work with the Kerberos key distribution center (KDC). You must create the service principal names (SPN) required by the Informatica domain in the Kerberos principal database. The Kerberos principal database can be an LDAP directory service. You must also create keytab files for the SPNs and store it in the Informatica directory as required by the Informatica domain.
If you do not enable Kerberos authentication during installation, the installer configures the Informatica domain to use native authentication. After installation, you can set up a connection to an LDAP server and configure the Informatica domain to use LDAP authentication in addition to native authentication.
You can use native authentication and LDAP authentication together in the Informatica domain. The Service Manager authenticates the users based on the security domain. If a user belongs to the native security domain, the Service Manager authenticates the user in the domain configuration repository. If the user belongs to an LDAP security domain, the Service Manager passes the user name and password to the LDAP server for authentication.
You cannot use native authentication with Kerberos authentication. If the Informatica domain uses Kerberos authentication, all user accounts must be in LDAP security domains. The Kerberos server authenticates a user account when the user logs in to the network. The Informatica client applications use the credentials from the network login to authenticate users in the Informatica domain. Native groups and roles are still supported.
You can enable SAML-based single sign-on for Informatica web applications during installation, or after installation. However you must complete all required set up tasks before enabling SAML-based single sign-on. You cannot enable SAML-based single sign-on in an Informatica domain configured to use Kerberos authentication.