cognito sso (#6407)

openmetadata-docs/content/deployment/security/amazon-cognito-sso/bare-metal.md

@@ -0,0 +1,41 @@
+---
+title: Amazon Cognito SSO for Bare Metal
+slug: /deployment/security/amazon-cognito/bare-metal
+---
+
+# Amazon Cognito SSO for Bare Metal
+
+## Update conf/openmetadata.yaml
+
+Once the User pool and App client are created, add the `client id` to the value of the `clientId` field in the
+`openmetadata.yaml` file. See the snippet below for an example of where to place the `client id` value. Also, configure the
+`publicKeyUrls` and `authority` fields correctly with the User Pool ID from the previous step.
+
+```yaml
+authenticationConfiguration:
+  provider: "aws-cognito"
+  publicKeyUrls:
+    - "https://cognito-idp.us-west-1.amazonaws.com/{User Pool ID}/.well-known/jwks.json"
+  authority: "https://cognito-idp.us-west-1.amazonaws.com/{User Pool ID}"
+  clientId: "{Client ID}"
+  callbackUrl: "http://localhost:8585/callback"
+```
+
+Then,
+- Update `authorizerConfiguration` to add login names of the admin users in `adminPrincipals` section as shown below.
+- Update the `principalDomain` to your company domain name.
+
+```yaml
+authorizerConfiguration:
+  className: "org.openmetadata.catalog.security.DefaultAuthorizer"
+  # JWT Filter
+  containerRequestFilter: "org.openmetadata.catalog.security.JwtFilter"
+  adminPrincipals:
+    - "user1"
+    - "user2"
+  botPrincipals:
+    - "ingestion-bot"
+  principalDomain: "open-metadata.org"
+```
+
+Finally, update the Airflow information with the JWT token from [Enabling JWT Tokens](/deployment/security/enable-jwt-tokens).

openmetadata-docs/content/deployment/security/amazon-cognito-sso/docker.md

@@ -0,0 +1,41 @@
+---
+title: Amazon Cognito SSO for Docker
+slug: /deployment/security/amazon-cognito/docker
+---
+
+# Amazon Cognito SSO for Docker
+
+To enable security for the Docker deployment, follow the next steps:
+
+## 1. Create an .env file
+
+Create an `openmetadata.env` file and add the following contents as an example. Use the information
+generated when setting up the account in the previous steps.
+
+```bash
+# OpenMetadata Server Authentication Configuration
+AUTHORIZER_CLASS_NAME=org.openmetadata.catalog.security.DefaultAuthorizer
+AUTHORIZER_REQUEST_FILTER=org.openmetadata.catalog.security.JwtFilter
+AUTHORIZER_ADMIN_PRINCIPALS=[admin]  # Your `name` from name@domain.com
+AUTHORIZER_INGESTION_PRINCIPALS=[ingestion-bot]
+AUTHORIZER_PRINCIPAL_DOMAIN=open-metadata.org # Update with your domain
+
+AUTHENTICATION_PROVIDER=aws-cognito
+AUTHENTICATION_PUBLIC_KEYS=[https://cognito-idp.us-west-1.amazonaws.com/{User Pool ID}/.well-known/jwks.json]
+AUTHENTICATION_AUTHORITY=https://cognito-idp.us-west-1.amazonaws.com/{User Pool ID}
+AUTHENTICATION_CLIENT_ID={Client ID}
+AUTHENTICATION_CALLBACK_URL=http://localhost:8585/callback
+
+# Airflow Configuration
+AIRFLOW_AUTH_PROVIDER=openmetadata
+OM_AUTH_JWT_TOKEN=
+```
+
+Finally, update the Airflow information with the JWT token
+from [Enabling JWT Tokens](/deployment/security/enable-jwt-tokens).
+
+## 2. Start Docker
+
+```commandline
+docker compose --env-file ~/openmetadata.env up -d
+```

openmetadata-docs/content/deployment/security/amazon-cognito-sso/index.md

@@ -0,0 +1,90 @@
+---
+title: Amazon Cognito SSO
+slug: /deployment/security/amazon-cognito
+---
+
+# Amazon Cognito SSO
+
+Follow the sections in this guide to set up Amazon Cognito SSO.
+
+<Collapse title="Create Server Credentials">
+
+### Step 1: Login to AWS Portal
+
+- Login to [Amazon AWS Portal](https://aws.amazon.com/).
+- Search for `Cognito` in the search box and select Cognito Service from the dropdown menu.
+
+<Image src="/images/deployment/security/amazon-cognito-sso/create-server-credentials-1.png" alt="create-account" caption="Search for Cognito"/>
+
+### Step 2: Setup User Pool
+
+- Click on the "Create user pool" button if you do not have any user pools configured yet. Skip this step if you already have a user pool available. 
+- Select the type of ID providers you want to configure for your users and click "Next"
+
+<Image src="/images/deployment/security/amazon-cognito-sso/create-server-credentials-2.png" alt="create-account" caption="Setup User Pool"/>
+
+- Configure the security requirements in Step 2 as per your organizational needs and proceed to Step 3 
+- Configure the Sign-up experience in Step 3. Make sure to add email as a required attribute before proceeding to step 4
+
+<Image src="/images/deployment/security/amazon-cognito-sso/create-server-credentials-3.png" alt="create-account" caption="Configure Sign up Experience"/>
+
+- Configure message delivery as per your organizational needs and proceed to Step 5
+- In Step 5, add a name for the user pool and check the "Use the Cognito Hosted UI" option and provide a Cognito domain as shown in the screenshot below
+
+<Image src="/images/deployment/security/amazon-cognito-sso/create-server-credentials-4.png" alt="create-account" caption="Integrate your App"/>
+
+- In the same step, select "Public client" for the Initial App client type and configure the Allowed callback URLs
+  with `http://localhost:8585/callback` as shown in the screenshot below. Note: For production deployments, the Allowed
+  callback URLs should be updated with the appropriate domain name.
+
+<Image src="/images/deployment/security/amazon-cognito-sso/create-server-credentials-5.png" alt="create-account" caption="Configure the App Client"/>
+
+- The last step is to Review and create the User Pool.
+
+### Step 3: Where to find the Credentials
+
+- The `User Pool ID` can be found in the User Pool summary page as seen in the screenshot below
+
+<Image src="/images/deployment/security/amazon-cognito-sso/create-server-credentials-6.png" alt="create-account" caption="User Pool ID"/>
+
+- The App client ID can be found under the "App Integration" tab of the User Pool page. There will be a section that
+  lists all the App clients with client name and client ID as shown below
+
+<Image src="/images/deployment/security/amazon-cognito-sso/create-server-credentials-7.png" alt="create-account"/>
+
+<Image src="/images/deployment/security/amazon-cognito-sso/create-server-credentials-8.png" alt="create-account" caption="Client ID"/>
+
+</Collapse>
+
+After the applying these steps, you can update the configuration of your deployment:
+
+<InlineCalloutContainer>
+  <InlineCallout
+    color="violet-70"
+    icon="celebration"
+    bold="Docker Security"
+    href="/deployment/security/amazon-cognito/docker"
+  >
+    Configure Amazon Cognito SSO for your Docker Deployment.
+  </InlineCallout>
+  <InlineCallout
+    color="violet-70"
+    icon="storage"
+    bold="Bare Metal Security"
+    href="/deployment/security/amazon-cognito/bare-metal"
+  >
+    Configure Amazon Cognito SSO for your Bare Metal Deployment.
+  </InlineCallout>
+  <InlineCallout
+    color="violet-70"
+    icon="fit_screen"
+    bold="Kubernetes Security"
+    href="/deployment/security/amazon-cognito/kubernetes"
+  >
+    Configure Amazon Cognito SSO for your Kubernetes Deployment.
+  </InlineCallout>
+</InlineCalloutContainer>
+
+## Configure Ingestion
+
+The ingestion can be configured by [Enabling JWT Tokens](/deployment/security/enable-jwt-tokens).

openmetadata-docs/content/deployment/security/amazon-cognito-sso/kubernetes.md

@@ -0,0 +1,34 @@
+---
+title: Amazon Cognito SSO for Kubernetes
+slug: /deployment/security/amazon-cognito/kubernetes
+---
+
+# Amazon Cognito SSO for Kubernetes
+
+Check the Helm information [here](https://artifacthub.io/packages/search?repo=open-metadata).
+
+Once the `Client Id` and `Client Secret` are generated, see the snippet below for an example of where to
+place the client id value and update the authorizer configurations in the `values.yaml`.
+
+```yaml
+global:
+  authorizer:
+    className: "org.openmetadata.catalog.security.DefaultAuthorizer"
+    containerRequestFilter: "org.openmetadata.catalog.security.JwtFilter"
+    initialAdmins:
+      - "user1"
+      - "user2"
+    botPrincipals:
+      - "<service_application_client_id>"
+    principalDomain: "open-metadata.org"
+  authentication:
+    provider: "google"
+    publicKeys:
+      - "https://www.googleapis.com/oauth2/v3/certs"
+    authority: "https://accounts.google.com"
+    clientId: "{client id}"
+    callbackUrl: "http://localhost:8585/callback"
+```
+
+Finally, update the Airflow information with the JWT token
+from [Enabling JWT Tokens](/deployment/security/enable-jwt-tokens).

openmetadata-docs/content/deployment/security/index.md

@@ -55,4 +55,12 @@ please follow the [Quickstart](/quick-start/local-deployment) guide.
   >
     Configure Okta SSO to access the UI and APIs
   </InlineCallout>
+  <InlineCallout
+    color="violet-70"
+    bold="Amazon Cognito SSO"
+    icon="add_moderator"
+    href="/deployment/security/amazon-cognito"
+  >
+    Configure Okta SSO to access the UI and APIs
+  </InlineCallout>
 </InlineCalloutContainer>

openmetadata-docs/content/menu.md

@@ -85,6 +85,14 @@ site_menu:
     url: /deployment/security/okta/bare-metal
   - category: Deployment / Enable Security / Okta SSO / Kubernetes
     url: /deployment/security/okta/kubernetes
+  - category: Deployment / Enable Security / Amazon Cognito SSO
+    url: /deployment/security/amazon-cognito
+  - category: Deployment / Enable Security / Amazon Cognito SSO / Docker
+    url: /deployment/security/amazon-cognito/docker
+  - category: Deployment / Enable Security / Amazon Cognito SSO / Bare Metal
+    url: /deployment/security/amazon-cognito/bare-metal
+  - category: Deployment / Enable Security / Amazon Cognito SSO / Kubernetes
+    url: /deployment/security/amazon-cognito/kubernetes
   - category: Deployment / Enable Security / Enable SSL
     url: /deployment/security/enable-ssl
   - category: Deployment / Enable Security / Enable SSL / Use Nginx