To start working with the Data Catalog you need to identify yourself. This process is known as authentication and consists of several steps:
You provide some credentials that allow Data Catalog to identify you. According to the authentication method these credentials can be a username and a password, a Kerberos ticket, a SAML assertion, etc.
If there are several Virtual DataPort servers registered in the Data Catalog, you need to select the one you are going to connect to.
The Data Catalog tries to validate your credentials.
If they are correct, you are allowed to enter the Data Catalog. After validating your credentials, the Data Catalog retrieves the roles of your user account and calculates your privileges. These privileges determine the tasks you are allowed to do. This last step is known as authorization.
Each Virtual DataPort server has an associated connection URL, which points to a database. You need the
CONNECTprivilege on that database for the authentication to be correct.
If they are not correct, you will not be able to access the Data Catalog.
The Data Catalog supports the following authentication methods:
Authentication with login and password. To log in, you need to provide a username and a password. The authentication is delegated to the Virtual DataPort you are trying to connect to. Depending on its configuration, Virtual DataPort can resolve the authentication itself or delegate it to an LDAP server.
Single sign-on with Kerberos. The browser automatically provides a Kerberos ticket that identifies the user logged in the system. The Data Catalog sends it to your Kerberos server, typically an Active Directory, which performs the authentication.
Single sign-on with an Identity Provider. The Data Catalog delegates the authentication to an external Identity Provider. Currently, the authentication protocols supported are:
If the administrator enabled single sign-on with Kerberos or with an Identity Provider but you want to log in with user and password go to http://localhost:9090/denodo-data-catalog?auth=login.
You cannot configure Single sign-on with Kerberos and Single sign-on with an Identity Provider at the same time.
One thing that all these authentication methods have in common is that the authentication is delegated to other system, which is the one that manages the user accounts. However, the Data Catalog has an extra authentication method that breaks this rule: local authentication. With the local authentication, a user can log in the Data Catalog only to perform some administration tasks. This user account is the only one managed by the Data Catalog.
Next sections describe these authentication methods in more detail.