
# Auth0 SSO

Follow the sections in this guide to set up Auth0 SSO.

{%important%}

Security requirements for your **production** environment:
- **DELETE** the admin default account shipped by OM in case you had [Basic Authentication](/deployment/security/basic-auth)
  enabled before configuring the authentication with Auth0 SSO.
- **UPDATE** the Private / Public keys used for the [JWT Tokens](/deployment/security/enable-jwt-tokens). The keys we provide
  by default are aimed only for quickstart and testing purposes. They should NEVER be used in a production installation.

{%/important%}

## Create Server Credentials

### Step 1: Create the Account

- If you don't have an account, [Sign up](https://auth0.com/signup) to create one.
- Select the Account Type, i.e., Company or Personal
- Click I need advanced settings and click next.

{% image 
src="/images/v1.0.0/deployment/security/auth0/create-account-1.png" 
alt="create-account" /%}

- Provide the Tenant Domain, select the region and click on Create Account.

{% image 
src="/images/v1.0.0/deployment/security/auth0/create-account-2.png" 
alt="create-account" /%}

- Once done, you will land on the dashboard page.

{% image
src="/images/v1.0.0/deployment/security/auth0/create-account-3.png" 
alt="create-account" /%}

### Step 2: Create a New Application

- Once you are on the Dashboard page, click on `Applications > Applications` available on the left-hand side panel.

{% image 
src="/images/v1.0.0/deployment/security/auth0/create-new-app-1.png" 
alt="create-app" /%}

- Click on `Create Application`.

{% image 
src="/images/v1.0.0/deployment/security/auth0/create-new-app-2.png" 
alt="create-app" /%}

- Enter the Application name.
- Choose an application type and click on `Create`.

{% image 
src="/images/v1.0.0/deployment/security/auth0/create-new-app-3.png" 
alt="create-app" /%}

### Step 3: Where to Find the Credentials

- Navigate to the Settings tab. 
- You will find your `Client ID`, `Client Secret` and `Domain`.

{% image 
src="/images/v1.0.0/deployment/security/auth0/credentials.png" 
alt="credentials" /%}

## Create Service Account (optional)

This is a guide to create ingestion bot service account. This step is optional if you configure the ingestion-bot with
the JWT Token, you can follow the documentation of [Enable JWT Tokens](/deployment/security/enable-jwt-tokens).

### Step 1: Enable Client-Credential

- Go to your project dashboard.

{% image 
src="/images/v1.0.0/deployment/security/auth0/enable-client-credential-1.png" 
alt="client" /%} 

- Navigate to `Applications > Applications`

{% image 
src="/images/v1.0.0/deployment/security/auth0/enable-client-credential-2.png" 
alt="client" /%} 

- Select your application from the list.

{% image 
src="/images/v1.0.0/deployment/security/auth0/enable-client-credential-3.png" 
alt="client" /%}

- Once selected, scroll down until you see the `Application Properties` section.
- Change the Token Endpoint `Authentication Method` from `None` to `Basic`.

{% image 
src="/images/v1.0.0/deployment/security/auth0/enable-client-credential-4.png" 
alt="client" /%}

- Now scroll further down to the section on `Advanced Settings`.
- Click on it and select `Grant Types`.
- In the `Grant Types`, check the option for `Client Credentials`.

{% image src="/images/v1.0.0/deployment/security/auth0/enable-client-credential-5.png" alt="client"/>

- Once done, click on `Save Changes`.

### Step 2: Authorize the API with our Application.

- Navigate to `Applications > APIs` from the left menu.

{% image src="/images/v1.0.0/deployment/security/auth0/authorize-api-1.png" alt="auth" /%}

- You will see the `Auth0 Management API`.

{% image src="/images/v1.0.0/deployment/security/auth0/authorize-api-2.png" alt="auth" /%}

- Click on the `Auth0 Management API`.

{% image src="/images/v1.0.0/deployment/security/auth0/authorize-api-3.png" alt="auth" /%}

- Click on the `Machine to Machine Applications` tab.
- You will find your application listed below.

{% image src="/images/v1.0.0/deployment/security/auth0/authorize-api-4.png" alt="auth" /%}

- Click on the toggle to authorize.
- Once done you will find a down arrow, click on it.

{% image src="/images/v1.0.0/deployment/security/auth0/authorize-api-5.png" alt="auth" /%}

- Select the permissions (scopes) that should be granted to the client.
- Click on `Update`.

{% image src="/images/v1.0.0/deployment/security/auth0/authorize-api-6.png" alt="auth" /%}

After the applying these steps, you can update the configuration of your deployment:

{% inlineCalloutContainer %}
  {% inlineCallout
    color="violet-70"
    icon="celebration"
    bold="Docker Security"
    href="/deployment/security/auth0/docker" %}
    Configure Auth0 SSO for your Docker Deployment.
  {% /inlineCallout %}
  {% inlineCallout
    color="violet-70"
    icon="storage"
    bold="Bare Metal Security"
    href="/deployment/security/auth0/bare-metal" %}
    Configure Auth0 SSO for your Bare Metal Deployment.
  {% /inlineCallout %}
  {% inlineCallout
    color="violet-70"
    icon="fit_screen"
    bold="Kubernetes Security"
    href="/deployment/security/auth0/kubernetes" %}
    Configure Auth0 SSO for your Kubernetes Deployment.
  {% /inlineCallout %}
{% /inlineCalloutContainer %}

## Configure Ingestion

After everything has been set up, you will need to configure your workflows if you are running them via the 
`metadata` CLI or with any custom scheduler.

When setting up the YAML config for the connector, update the `workflowConfig` as follows:

```yaml
workflowConfig:
  openMetadataServerConfig:
    hostPort: 'http://localhost:8585/api'
    authProvider: auth0
    securityConfig:
      clientId: '{your_client_id}'
      secretKey: '{your_client_secret}'
      domain: '{your_domain}'
```