Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Hue SAML group mapping

Solved Go to solution
Highlighted

Hue SAML group mapping

New Contributor

I'm testing Hue - SAML integration.
SAML login now works, but all users land in Hue with "default" group.

Is there a way to assign Hue groups and permissions based on SAML attributes?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Hue SAML group mapping

Super Guru

@MichalAR ,

 

Right, so SAML can be used for Authentication and then LDAP for user/group sync.

If you are not using LDAP for authentication, then "Create LDAP users on login" won't impact you.

If you want to prevent the creation of a Hue user for a new user login, you can set the following:

[libsaml]

create_users_on_login=False

 

If you do that, though, you need to be sure that you have all of your users already in Hue before they authenticate; otherwise, they will get an error.

 

If you would like to leave create_users_on_login "True" but change the default group membership, you can adjust the "default" group that is set for new users.

 

To do so, set:

 

[useradmin]

default_user_group=<name_of_your_preferred_group>

 

That way, you don't prevent users from authenticating via SAML if they don't already exist as Hue users, but you can restrict the resources they can access.

 

It's just another thing to consider that may help you achieve the type of configuration you want.

 

 

3 REPLIES 3

Re: Hue SAML group mapping

Super Guru

Hi @MichalAR ,

 

Hue does not support group mapping based on SAML attributes at this time.

For now, the general workaround is to use LDAP sync if possible to automate user group membership.

 

 

 

Re: Hue SAML group mapping

New Contributor

Hi @bgooley ,
So I can have SAML login + ldap group synch?
I assume "Create LDAP users on login" should be disabled in that case?

Re: Hue SAML group mapping

Super Guru

@MichalAR ,

 

Right, so SAML can be used for Authentication and then LDAP for user/group sync.

If you are not using LDAP for authentication, then "Create LDAP users on login" won't impact you.

If you want to prevent the creation of a Hue user for a new user login, you can set the following:

[libsaml]

create_users_on_login=False

 

If you do that, though, you need to be sure that you have all of your users already in Hue before they authenticate; otherwise, they will get an error.

 

If you would like to leave create_users_on_login "True" but change the default group membership, you can adjust the "default" group that is set for new users.

 

To do so, set:

 

[useradmin]

default_user_group=<name_of_your_preferred_group>

 

That way, you don't prevent users from authenticating via SAML if they don't already exist as Hue users, but you can restrict the resources they can access.

 

It's just another thing to consider that may help you achieve the type of configuration you want.