Skip to main content

SAML SSO

Security requirements for your production environment:
  • DELETE the admin default account shipped by OM.
  • UPDATE the Private / Public keys used for the JWT Tokens in case it is enabled.

Configuring Identity Provider and Service Provider

Identity Provide (IDP) Configuration

  • Every IDP will have the following information
  1. EntityId/Authority -> Same as IDP Openmetadata has an Entity Id
  2. SignOn Url -> Service Provider SignOn Url
  3. X509 Certificate -> In case the SP expects (wantAuthnRequestSigned) then provide certificate for validating.
  4. Authority Url -> We just need to update the domain localhost.
  5. NameID: This is sent as part of request and is provided by the IDP.
Every IDP provides this information, we can download the XML Metadata and configure the OM taking the values from the XML.

Service Provider (SP) Configuration

  • Openmetadata is the service provider, we just update the localhost to the hosted URI.
  1. EntityId/Authority -> Normally a Url providing info about the provider.
  2. SignOn Url -> Url to be used for signing purpose.
  3. X509 Certificate -> In case the SP expects a signed response from IDP, the IDP can be configured with Signing Certificate given by SP.
  4. Private Key -> In case SP expects a encrypted response from the IDP , the IDP can be configured with SPs public key for encryption and the Private Key can be used for SP for decrypting.
When configuring the Private Key for the Service Provider, ensure you use the actual key content enclosed within the -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY----- block. Avoid using the Base64-encoded format of the key, as this is not the expected value.
idp:
      entityId: ${SAML_IDP_ENTITY_ID:-"<ID>"}
      ssoLoginUrl: ${SAML_IDP_SSO_LOGIN_URL:-"<SSO_LOGIN_URL"}
      idpX509Certificate: ${SAML_IDP_CERTIFICATE:-"-----BEGIN PRIVATE KEY-----<Certificate>-----END PRIVATE KEY-----"}
      authorityUrl: ${SAML_AUTHORITY_URL:-"http://localhost:8585/api/v1/saml/login"}
      nameId: ${SAML_IDP_NAME_ID:-"urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress"}
To add a private key, you need to include it in the keystore and update the configuration details accordingly here.
  security:
    keyStoreFilePath: ${SAML_KEYSTORE_FILE_PATH:-"/path/to/keystore.jks"}
    keyStoreAlias: ${SAML_KEYSTORE_ALIAS:-"myKeystoreAlias"}
    keyStorePassword: ${SAML_KEYSTORE_PASSWORD:-"myKeystorePassword"}
SP Metadata XML is available at “http://localhost:8585/api/v1/saml/acs”, localhost needs to be updated with the correct URI.

Security Configuration

Security Configuration controls the SP requirement for the Security related aspects. The SP can be configured to send signed or encrypted or both request , and in return can also expect signed or encrypted or both responses from the IDP.

Setup JWT Configuration

Jwt Configuration is mandatory for Saml SSO.
Security requirements for your production environment:
  • UPDATE the Private / Public keys used for the JWT Tokens the ones shipped with OM are for POC only.
More specific details on different IDPs can be found below:

AWS Saml

Configure AWS as IDP.

Azure Saml

Configure AWS as IDP.

Configure Ingestion

Once your server security is set, it’s time to review the ingestion configuration. Our bots support JWT tokens to authenticate to the server when sending requests. Find more information on Enabling JWT Tokens and JWT Troubleshooting to ensure seamless authentication.