deployment

No menu items for this category
Home/Deployment/Security/Keycloak

Keycloak SSO

Follow the sections in this guide to set up Keycloak SSO.

Security requirements for your production environment:

  • DELETE the admin default account shipped by OM in case you had Basic Authentication enabled before configuring the authentication with Keycloak SSO.
  • UPDATE the Private / Public keys used for the JWT Tokens. The keys we provide by default are aimed only for quickstart and testing purposes. They should NEVER be used in a production installation.

Create Server Credentials

Step 1: Access the Keycloak Admin Console

  • You need an administrator account. If you don't have, see Creating the first administrator.
  • Go to the URL for the Admin Console. For example, for localhost, use this URL: http://localhost:8080/admin/
login-page
  • Enter the username and password you created.

Step 2: Change Realm selected

  • The Keycloak use Realms as the primary form of organization, we can't use the realm "master" for new clients (apps), only for administration, so change for your specific realm or create a new.
  • In this example we are used an existing one called "Data-sec".
change-realm

Step 3: Create OpenMetadata as a new Client

  • Click on Clients in the menu.
  • Click on Create button.
  • Enter the Client ID and Protocol as the image.
  • Click on Save button.
add-client

Step 4: Edit settings of the client

  • Change "Access Type" value from "public" to "confidential".
  • Change "implicit flow" and "service accounts" to enabled.
edit-settings-client
  • At the bottom of the same settings page, change the configurations to the openmetadata address.
  • The image below shows different possibilities, such as running locally or with a custom domain.
edit-settings-url.png
  • Click on Save button.

Note: Scopes openid, email & profile are required to fetch the user details so you will have to add these scopes in your client.

Step 5: Where to Find the Credentials

  • Navigate to the Credentials tab.
  • You will find your Client Secret related to the Client id "open-metadata"
client-credentials

After the applying these steps, the users in your realm are able to login in the openmetadata, as a suggestion create a user called "admin-user". Now you can update the configuration of your deployment:

Docker Security

Configure Keycloak SSO for your Docker Deployment.

Bare Metal Security

Configure Keycloak SSO for your Bare Metal Deployment.

Kubernetes Security

Configure Keycloak SSO for your Kubernetes Deployment.

A dockerized demo for showing how this SSO works with OpenMetadata can be found here.

Configure Ingestion

Once your server security is set, it's time to review the ingestion configuration. Our bots support JWT tokens to authenticate to the server when sending requests.

Find more information on Enabling JWT Tokens.