> ## Documentation Index
> Fetch the complete documentation index at: https://docs.open-metadata.org/llms.txt
> Use this file to discover all available pages before exploring further.

# OneLogin SSO | OpenMetadata Authentication Setup

> Configure OneLogin as your authentication source to manage user roles, sessions, and tokens across secure deployments.

# OneLogin SSO

Follow the sections in this guide to set up OneLogin SSO.

<Tip>
  Security requirements for your **production** environment:

  * **DELETE** the admin default account shipped by OM in case you had [Basic Authentication](/v1.12.x/deployment/security/basic-auth)
    enabled before configuring the authentication with OneLogin SSO.
  * **UPDATE** the Private / Public keys used for the [JWT Tokens](/v1.12.x/deployment/security/enable-jwt-tokens). The keys we provide
    by default are aimed only for quickstart and testing purposes. They should NEVER be used in a production installation.
</Tip>

## Create Server Credentials

### Step 1: Configure a new Application

* Login to [OneLogin](https://www.onelogin.com/) as an administrator and click on Applications

<img src="https://mintcdn.com/openmetadata/wxU3MWLfPXUnxtaP/public/images/deployment/security/one-login/create-server-credentials-1.png?fit=max&auto=format&n=wxU3MWLfPXUnxtaP&q=85&s=91e995436818fa985c80ad66326711ba" alt="create-account" width="3456" height="340" data-path="public/images/deployment/security/one-login/create-server-credentials-1.png" />

* Click on the `Add App` button and search for `openid connect`
* Select the `OpenId Connect (OIDC)` app

<img src="https://mintcdn.com/openmetadata/wxU3MWLfPXUnxtaP/public/images/deployment/security/one-login/create-server-credentials-2.png?fit=max&auto=format&n=wxU3MWLfPXUnxtaP&q=85&s=5dc1d70ab6685af801f5eff6bcca4951" alt="create-account" width="3456" height="614" data-path="public/images/deployment/security/one-login/create-server-credentials-2.png" />

* Change the Display Name of the app to `Open Metadata` and click `Save`

<img src="https://mintcdn.com/openmetadata/wxU3MWLfPXUnxtaP/public/images/deployment/security/one-login/create-server-credentials-3.png?fit=max&auto=format&n=wxU3MWLfPXUnxtaP&q=85&s=26c55d36886417049b5fd34fbc3c470a" alt="create-account" width="3428" height="1354" data-path="public/images/deployment/security/one-login/create-server-credentials-3.png" />

* Configure the login Url (`http(s)://<domain>/signin`) and redirect URI (`http(s)://<domain>/callback`) as shown below

<img src="https://mintcdn.com/openmetadata/wxU3MWLfPXUnxtaP/public/images/deployment/security/one-login/create-server-credentials-4.png?fit=max&auto=format&n=wxU3MWLfPXUnxtaP&q=85&s=3eedebbad122ac41cc5707ef264e7c15" alt="create-account" width="3456" height="1536" data-path="public/images/deployment/security/one-login/create-server-credentials-4.png" />

* Configure the users in the organization that can access OpenMetadata app by clicking on the `Users`

<img src="https://mintcdn.com/openmetadata/wxU3MWLfPXUnxtaP/public/images/deployment/security/one-login/create-server-credentials-5.png?fit=max&auto=format&n=wxU3MWLfPXUnxtaP&q=85&s=3fff8ea03e690bb593a0b27203cab15f" alt="create-account" width="3440" height="1180" data-path="public/images/deployment/security/one-login/create-server-credentials-5.png" />

* Click on "SSO" and select `None (PKCE)` for Token Endpoint.

<img src="https://mintcdn.com/openmetadata/wxU3MWLfPXUnxtaP/public/images/deployment/security/one-login/create-server-credentials-6.png?fit=max&auto=format&n=wxU3MWLfPXUnxtaP&q=85&s=c9f130a1facacb2538597aeff43d07a1" alt="create-account" width="3424" height="1612" data-path="public/images/deployment/security/one-login/create-server-credentials-6.png" />

### Step 2: Where to find the Credentials

* Go to "SSO" and copy the Client ID

<img src="https://mintcdn.com/openmetadata/wxU3MWLfPXUnxtaP/public/images/deployment/security/one-login/create-server-credentials-7.png?fit=max&auto=format&n=wxU3MWLfPXUnxtaP&q=85&s=4397fa24c0d9b3026cbdb1d135e29c84" alt="create-account" width="3424" height="1612" data-path="public/images/deployment/security/one-login/create-server-credentials-7.png" />

* Copy the Issuer URL

After the applying these steps, you can update the configuration of your deployment:

<CardGroup cols={3}>
  <Card title="Docker Security" href="/v1.12.x/deployment/security/one-login/docker">
    Configure OneLogin SSO for your Docker Deployment.
  </Card>

  <Card title="Bare Metal Security" href="/v1.12.x/deployment/security/one-login/bare-metal">
    Configure OneLogin SSO for your Bare Metal Deployment.
  </Card>

  <Card title="Kubernetes Security" href="/v1.12.x/deployment/security/one-login/kubernetes">
    Configure OneLogin SSO for your Kubernetes Deployment.
  </Card>
</CardGroup>

## Configure Ingestion

Once your server security is set, it's time to review the ingestion configuration. Our bots support JWT tokens
to authenticate to the server when sending requests.

Find more information on [**Enabling JWT Tokens**](/deployment/security/enable-jwt-tokens) and [**JWT Troubleshooting**](/deployment/security/jwt-troubleshooting) to ensure seamless authentication.