OneLogin SSO

Follow the sections in this guide to set up OneLogin SSO.

Security requirements for your production environment:

  • DELETE the admin default account shipped by OM in case you had Basic Authentication enabled before configuring the authentication with OneLogin SSO.
  • UPDATE the Private / Public keys used for the JWT Tokens. The keys we provide by default are aimed only for quickstart and testing purposes. They should NEVER be used in a production installation.
  • Login to OneLogin as an administrator and click on Applications
  • Click on the Add App button and search for openid connect
  • Select the OpenId Connect (OIDC) app
  • Change the Display Name of the app to Open Metadata and click Save
  • Configure the login Url (http(s)://<domain>/signin) and redirect URI (http(s)://<domain>/callback) as shown below
  • Configure the users in the organization that can access OpenMetadata app by clicking on the Users
  • Click on "SSO" and select None (PKCE) for Token Endpoint.
  • Go to "SSO" and copy the Client ID
  • Copy the Issuer URL

This step is optional if you configure the ingestion-bot with the JWT Token, you can follow the documentation of Enable JWT Tokens.

  • Navigate to "SSO" settings of the application and click on Show client secret to copy the secret key

After the applying these steps, you can update the configuration of your deployment:

After everything has been set up, you will need to configure your workflows if you are running them via the metadata CLI or with any custom scheduler.

Note that OneLogin SSO is a layer on top of Custom OIDC.

When setting up the YAML config for the connector, update the workflowConfig as follows: