fix: Update Azure SSO Docs (#8186)

openmetadata-docs/content/deployment/security/azure/bare-metal.md

@@ -5,9 +5,11 @@ slug: /deployment/security/azure/bare-metal
 
 # Azure SSO for Bare Metal
 
-## Update conf/openmetadata.yaml
+Get the `Client Id` and `Tenant ID` from Azure Application configured in [Step 3](/deployment/security/azure#step-3-where-to-find-the-credentials).
 
-Once the `Client Id` and `Client Secret` are generated add the `Client Id` in `openmetadata.yaml` file in `client_id` field.
+Get the Azure Service Application `Client Id`, `Client Secret`, `Authority`, `Scopes` from the information collected in [Step 9](/deployment/security/azure#step-9-note-down-the-clientid-and-authority).
+
+## Update conf/openmetadata.yaml
 
 ```yaml
 authenticationConfiguration:
@@ -15,7 +17,7 @@ authenticationConfiguration:
   publicKeyUrls:
     - "https://login.microsoftonline.com/common/discovery/keys"
   authority: "https://login.microsoftonline.com/{Tenant ID}"
-  clientId: "{Client ID}"
+  clientId: "{Client ID}" # Azure Application
   callbackUrl: "http://localhost:8585/callback"
 ```
 
@@ -42,6 +44,8 @@ Finally, update the Airflow information:
 
 **Before 0.12.1**
 
+Once the `Client Id` and `Client Secret` are generated for Azure SSO Service Application, add in `openmetadata.yaml` file for the information collected in [Step 9](/deployment/security/azure#step-9-note-down-the-clientid-and-authority).
+
 ```yaml
 airflowConfiguration:
   apiEndpoint: ${AIRFLOW_HOST:-http://localhost:8080}
@@ -54,7 +58,7 @@ airflowConfiguration:
       clientSecret: ${OM_AUTH_AIRFLOW_AZURE_CLIENT_SECRET:-""}
       authority: ${OM_AUTH_AIRFLOW_AZURE_AUTHORITY_URL:-""}
       scopes: ${OM_AUTH_AIRFLOW_AZURE_SCOPES:-[]}
-      clientId: ${OM_AUTH_AIRFLOW_AZURE_CLIENT_ID:-""}
+      clientId: ${OM_AUTH_AIRFLOW_AZURE_CLIENT_ID:-""} # Azure Service Application
 ```
 
 **After 0.12.1**
@@ -67,5 +71,8 @@ airflowConfiguration:
   metadataApiEndpoint: ${SERVER_HOST_API_URL:-http://localhost:8585/api}
 ```
 
-**Note:** Follow [this](/how-to-guides/feature-configurations/bots) guide to configure the `ingestion-bot` credentials for
-ingesting data from Airflow.
+<Note>
+
+Follow [this](/deployment/security/azure#step-10-update-ingestion-bot-with-azure-sso-service-application) guide to configure the `ingestion-bot` credentials for ingesting data from Airflow.
+
+</Note>

openmetadata-docs/content/deployment/security/azure/docker.md

@@ -9,23 +9,33 @@ To enable security for the Docker deployment, follow the next steps:
 
 ## 1. Create an .env file
 
+Get the `Client Id` and `Tenant ID` from Azure Application configured in [Step 3](/deployment/security/azure#step-3-where-to-find-the-credentials).
+
+Get the Azure Service Application `Client Id`, `Client Secret`, `Authority`, `Scopes` from the information collected in [Step 9](/deployment/security/azure#step-9-note-down-the-clientid-and-authority).
+
 Create an `openmetadata_azure.env` file and add the following contents as an example. Use the information
 generated when setting up the account.
 
 ### 1.1 Before 0.12.1
 
+<Note>
+
+The Object Id will be `<object-id-for-azure-service-application-enterprise-application>` fetched from [Step 9](/deployment/security/azure#step-9-note-down-the-clientid-and-authority). 
+
+</Note>
+
 ```shell
 # OpenMetadata Server Authentication Configuration
-AUTHORIZER_CLASS_NAME=org.openmetadata.service.security.DefaultAuthorizer
-AUTHORIZER_REQUEST_FILTER=org.openmetadata.service.security.JwtFilter
+AUTHORIZER_CLASS_NAME=org.openmetadata.catalog.security.DefaultAuthorizer
+AUTHORIZER_REQUEST_FILTER=org.openmetadata.catalog.security.JwtFilter
 AUTHORIZER_ADMIN_PRINCIPALS=[admin]  # Your `name` from name@domain.com
-AUTHORIZER_INGESTION_PRINCIPALS=[ingestion-bot]
+AUTHORIZER_INGESTION_PRINCIPALS=[ingestion-bot, {object-id-for-azure-service-application-enterprise-application}]
 AUTHORIZER_PRINCIPAL_DOMAIN=open-metadata.org # Update with your domain
 
 AUTHENTICATION_PROVIDER=azure
 AUTHENTICATION_PUBLIC_KEYS=[https://login.microsoftonline.com/common/discovery/keys]
 AUTHENTICATION_AUTHORITY=https://login.microsoftonline.com/{Tenant ID} # Update with your Tenant ID
-AUTHENTICATION_CLIENT_ID={Client ID} # Update with your Client ID
+AUTHENTICATION_CLIENT_ID={Client ID} # Update with your Client ID of Azure Application
 AUTHENTICATION_CALLBACK_URL=http://localhost:8585/callback
 
 # Airflow Configuration
@@ -33,7 +43,7 @@ AIRFLOW_AUTH_PROVIDER=azure
 OM_AUTH_AIRFLOW_AZURE_CLIENT_SECRET={Client Secret} # Update with your Client Secret
 OM_AUTH_AIRFLOW_AZURE_AUTHORITY_URL=https://login.microsoftonline.com/{Tenant ID} # Update with your Tenant ID
 OM_AUTH_AIRFLOW_AZURE_SCOPES=[{scopes}] # Update with your Scopes
-OM_AUTH_AIRFLOW_AZURE_CLIENT_ID={Client Id} # Update with your Client ID
+OM_AUTH_AIRFLOW_AZURE_CLIENT_ID={Client Id} # Update with your Client ID of Azure Service Application
 ```
 
 ### 1.2 After 0.12.1
@@ -49,12 +59,15 @@ AUTHORIZER_PRINCIPAL_DOMAIN=open-metadata.org # Update with your domain
 AUTHENTICATION_PROVIDER=azure
 AUTHENTICATION_PUBLIC_KEYS=[https://login.microsoftonline.com/common/discovery/keys]
 AUTHENTICATION_AUTHORITY=https://login.microsoftonline.com/{Tenant ID} # Update with your Tenant ID
-AUTHENTICATION_CLIENT_ID={Client ID} # Update with your Client ID
+AUTHENTICATION_CLIENT_ID={Client ID} # Update with your Client ID of Azure Application
 AUTHENTICATION_CALLBACK_URL=http://localhost:8585/callback
 ```
 
-**Note:** Follow [this](/how-to-guides/feature-configurations/bots) guide to configure the `ingestion-bot` credentials for
-ingesting data from Airflow.
+<Note>
+
+Follow [this](/deployment/security/azure#step-10-update-ingestion-bot-with-azure-sso-service-application) guide to configure the `ingestion-bot` credentials for ingesting data from Airflow.
+
+</Note>
 
 ## 2. Start Docker
 

openmetadata-docs/content/deployment/security/azure/index.md

@@ -82,9 +82,9 @@ Admin permissions are required to register the application on the Azure portal.
 ### Step 4: Register Another Azure Application
 
 Another Azure Application must be registered for Service ingestion.
-- 
+
 - Provide an application name.
-- Create a `public client redirect URI`.
+- `public client redirect URI` will be blank.
 - Click on Register.
 
 <Image src="/images/deployment/security/azure/register-another-app.png" alt="add-app"/>
@@ -145,16 +145,18 @@ the application access scope.
 
 - The `secret_key` is required for ingestion.
 
-### Step 9: Note down the clientId and Authority
+### Step 9: Note down the information for OpenMetadata configurations
 
-- `clientID`: The Application (Client) ID is displayed in the Overview section of the registered application.
+- `clientID`: The Application (Client) ID is displayed in the Overview section of the registered applications (Azure Application for UI and Azure Service Application if any).
 - `authority`: When passing the details for authority, the Tenant ID is added to the URL as shown
 below. `https://login.microsoftonline.com/TenantID`
 - `clientSecret`: The clientSecret can be accessed from the Certificates & secret section of the application.
+- `scopes`: The scopes for running the ingestion to get token using Client Credentials Flow. This will be in the format of `<application-id-uri>/.default` (Application Id URI will be available from [Step 7](/deployment/security/azure#step-7-set-the-app-id-uri))
+- `object-id`: You can fetch the `object id` of Azure Application created for OpenMetadata Service Application as provided in the below image. This is required for setting the OpenMetadata with YAML configurations as well as Updating Ingestion-Bot from UI. You can find `object id` in Azure `Active Directory >> Enterprise Applications`.
 
-This information is required to configure Airflow.
+<Image src="/images/deployment/security/azure/azure-service-application-object-id.png" alt="object-id" />
 
-<Image src="/images/deployment/security/azure/client-id-and-authority.png" alt="client-id-authority"/>
+This information is required to configure ingestion-bot from OpenMetadata UI from 0.12.1 Release.
 
 After the applying these steps, you can update the configuration of your deployment:
 
@@ -185,7 +187,23 @@ After the applying these steps, you can update the configuration of your deploym
   </InlineCallout>
 </InlineCalloutContainer>
 
-## Configure Ingestion
+### Step 10: Update Ingestion Bot with Azure SSO Service Application
+
+Starting from 0.12.1, Navigate to `Settings >> Bots >> ingestion-bot` and click on edit.
+
+<Image src="/images/deployment/security/azure/update-ingestion-bot-service-application.png"/>
+
+Update the Auth Mechanism as Azure SSO and update `Email`, `ClientSecret`, `ClientId`, `Authority`, and `Scopes` as mentioned in [Step 9](/deployment/security/azure#step-9-note-down-the-clientid-and-authority).
+
+The `Email` will be in the format of `<object-id-for-azure-service-application-enterprise-application>@<your-domain-name>`.
+
+Next, Click on Save.
+
+<Image src="/images/deployment/security/azure/update-ingestion-bot-service-application.png" />
+
+This will enable all the Service Connector Ingestions created from UI to securely use Azure SSO Service Applications for connecting with OpenMetadata APIs.
+
+## Configure Ingestion from CLI
 
 After everything has been set up, you will need to configure your workflows if you are running them via the
 `metadata` CLI or with any custom scheduler.
@@ -202,8 +220,6 @@ workflowConfig:
       authority: '{your_authority_url}'
       clientId: '{your_client_id}'
       scopes:
-        - your_scopes
+        - <azure-service-application-id-uri>/.default
 
 ```
-
-

openmetadata-docs/content/deployment/security/azure/kubernetes.md

@@ -7,28 +7,38 @@ slug: /deployment/security/azure/kubernetes
 
 Check the Helm information [here](https://artifacthub.io/packages/search?repo=open-metadata).
 
-Once the `Client Id` and `Client Secret` are generated, see the snippet below for an example of where to
-place the client id value and update the authorizer configurations in the `values.yaml`.
+Get the `Client Id` and `Tenant ID` from Azure Application configured in [Step 3](/deployment/security/azure#step-3-where-to-find-the-credentials).
+
+Get the Azure Service Application `Client Id`, `Client Secret`, `Authority`, `Scopes` from the information collected in [Step 9](/deployment/security/azure#step-9-note-down-the-clientid-and-authority).
+
+See the snippet below for an example of where to place the values and update the authorizer configurations in the `values.yaml`.
+
 
 ### Before 0.12.1
 
+<Note>
+
+The Object Id will be `<object-id-for-azure-service-application-enterprise-application>` fetched from [Step 9](/deployment/security/azure#step-9-note-down-the-clientid-and-authority). 
+
+</Note>
+
 ```yaml
 global:
   authorizer:
-    className: "org.openmetadata.service.security.DefaultAuthorizer"
-    containerRequestFilter: "org.openmetadata.service.security.JwtFilter"
+    className: "org.openmetadata.catalog.security.DefaultAuthorizer"
+    containerRequestFilter: "org.openmetadata.catalog.security.JwtFilter"
     initialAdmins:
       - "user1"
       - "user2"
     botPrincipals:
-      - "<service_application_client_id>"
+      - "<object-id-for-azure-service-application-enterprise-application>"
     principalDomain: "open-metadata.org"
   authentication:
     provider: "azure"
     publicKeys:
       - "https://login.microsoftonline.com/common/discovery/keys"
     authority: "https://login.microsoftonline.com/{Tenant ID}"
-    clientId: "{Client ID}"
+    clientId: "{Client ID}" # Azure Application
     callbackUrl: "http://localhost:8585/callback"
   airflow:
     openmetadata:
@@ -37,9 +47,9 @@ global:
         clientSecret:
           secretRef: azure-client-secret
           secretKey: azure-client-secret
-        authority: ""
+        authority: "https://login.microsoftonline.com/{Tenant ID}"
         scopes: [ ]
-        clientId: ""
+        clientId: "{Client ID}" # Azure Service Application
 ```
 
 ### After 0.12.1
@@ -53,16 +63,19 @@ global:
       - "user1"
       - "user2"
     botPrincipals:
-      - "<service_application_client_id>"
+      - "ingestion-bot"
     principalDomain: "open-metadata.org"
   authentication:
     provider: "azure"
     publicKeys:
       - "https://login.microsoftonline.com/common/discovery/keys"
     authority: "https://login.microsoftonline.com/{Tenant ID}"
-    clientId: "{Client ID}"
+    clientId: "{Client ID}" # Azure Application
     callbackUrl: "http://localhost:8585/callback"
 ```
 
-**Note:** Follow [this](/how-to-guides/feature-configurations/bots) guide to configure the `ingestion-bot` credentials for
-ingesting data from Airflow.
+<Note>
+
+Follow [this](/deployment/security/azure#step-10-update-ingestion-bot-with-azure-sso-service-application) guide to configure the `ingestion-bot` credentials for ingesting data from Airflow.
+
+</Note>