Enable SAML Authentication in a Domain
Configure the identity provider, the Informatica domain, and the nodes within the domain to use SAML authentication.
To configure SAML authentication for supported Informatica web applications that run in a domain, perform the following tasks:
- 1. Create an LDAP configuration to connect to the LDAP identity store that contains Informatica web application user accounts. You also create an LDAP security domain, and then import the user accounts into the security domain.
- 2. Export the assertion signing certificate from the identity provider.
- 3. Import the assertion signing certificate into a truststore file on each gateway node in the domain. You can import the certificate into the Informatica default truststore file, or into a custom truststore file.
- 4. Add one or more relying party trusts or service providers in the identity provider.
- 5. Add the URL for each Informatica web application to the identity provider.
- 6. Enable SAML authentication in the domain.
- 7. Enable SAML authentication on every node in the domain.
Note: For several of the SAML identity providers that Informatica supports, you can follow detailed integration steps in a How-To Library (H2L) article. See
Supported Identity Providers for links to the articles.
Create an LDAP Configuration for the Identity Provider or LDAP Store
Use the Administrator tool to create an LDAP configuration for the identity provider or LDAP store that contains the web application user accounts that use SAML authentication.
When you create an LDAP configuration, you create a security domain for the user accounts, and then import the accounts into the security domain. After you import the accounts into the security domain, assign the appropriate Informatica domain roles, privileges and permissions to the accounts in the security domain.
For more information about creating an LDAP configuration, see
Creating an LDAP Configuration.
Export the Assertion Signing Certificate
The identity provider sends assertions of authenticity to service providers in the form of an assertion signing certificate.
A signed assertion contains a signature that the identity provider creates, using an algorithm chosen by the identity provider administrator. Informatica then verifies the signature using the corresponding public certificate that the domain administrator imported to the SAML truststore.
Informatica recommends that you enable the signed assertion.
Export the assertion signing certificate from the identity provider to enable the signed assertion.
Import the Certificate into the Truststore Used for SAML Authentication
Import the assertion signing certificate used by the identity provider into the truststore file used for SAML authentication on every gateway node within the Informatica domain.
You can import the certificate into the default Informatica truststore file, or into a custom truststore file.
Configure the Identity Provider
Configure the identity provider to issue SAML tokens to Informatica web applications.
Perform the following tasks to configure the identity provider:
- •Add a relying party trust for the domain in the identity provider. The relying party trust definition enables the identity provider to accept authentication requests from Informatica web applications that run in the domain.
- •Edit the Send LDAP Attributes as Claims rule to map LDAP attributes in your identity store to the corresponding types used in SAML tokens issued by the identity provider.
You provide the name of the relying party trust when you enable SAML authentication in a domain. Depending on your security requirements, you might create multiple relying party trusts in the identity provider to enable domains used by different organizations within the enterprise to use SAML authentication.
Informatica recognizes "Informatica" as the default relying party trust name. If you create a single relying party trust with "Informatica" as the relying party trust name, you do not need to provide the relying party trust name when you enable SAML authentication in a domain.
Note: All strings are case sensitive in the identity provider, including URLs.
Add Informatica Web Application URLs to the Identity Provider
Add the URL for each Informatica web application using SAML authentication to the identity provider.
You provide the URL for an Informatica web application to enable the identity provider to accept authentication requests sent by the application. Providing the URL also enables the identity provider to send the SAML token to the application after authenticating the user.
Set Up SAML Authentication in the Domain
You can set up SAML authentication in an existing Informatica domain, or you can enable it when you create a domain.
When you enable a domain to use SAML authentication, all web applications that run in the domain use the default identity provider you specify when you enable SAML authentication in the domain.
Select one of the following options:
- Enable SAML authentication when you run Informatica installer.
- You can enable SAML authentication and specify the identity provider URL when you configure the domain as part of the installation process.
- Enable SAML authentication in an existing domain.
Use the infasetup updateDomainSamlConfig command to enable SAML authentication in an existing Informatica domain. You can run the command on any gateway node within the domain.
- Enable SAML authentication when you create a domain.
Use the infasetup defineDomain command to enable SAML authentication when you create a domain.
See the Informatica Command Reference for instructions on using the commands.
Enable SAML Authentication on the Nodes
You must configure SAML authentication on every gateway and worker node in the Informatica domain.
Select one of the following options to configure SAML authentication on a gateway node:
- Enable SAML authentication when you define a gateway node on a machine.
- Use the infasetup DefineGatewayNode command to enable SAML authentication on the gateway node.
- Enable SAML authentication when you configure a gateway node to join a domain that uses SAML authentication.
Use the infasetup UpdateGatewayNode command to enable SAML authentication on the gateway node.
- Enable SAML authentication when you convert a worker node to a gateway node.
Use the isp SwitchToGatewayNode command to enable SAML authentication on the node.
Select one of the following options to configure SAML authentication on a worker node:
- Enable SAML authentication when you define a worker node on a machine.
- Use the infasetup DefineWorkerNode command to enable SAML authentication on the worker node.
- Enable SAML authentication when you configure a worker node to join a domain that uses SAML authentication.
Use the infasetup UpdateWorkerNode command to enable SAML authentication on the worker node.
See the Informatica Command Reference for instructions on using the commands.