From 79af8bf78b8a87eebf7352bdfcd0969a2f98a18a Mon Sep 17 00:00:00 2001 From: Sriharsha Chintalapani Date: Mon, 7 Oct 2024 02:56:10 -0700 Subject: [PATCH] Update SSO configs to show clear URLs for callback and public keys (#18127) * Update SSO configs * Update security docs to provide clear callback and public key urls --- .../security/amazon-cognito-sso/bare-metal.md | 12 +++- .../security/amazon-cognito-sso/docker.md | 12 +++- .../security/amazon-cognito-sso/kubernetes.md | 11 +++- .../deployment/security/auth0/bare-metal.md | 12 +++- .../deployment/security/auth0/docker.md | 11 +++- .../deployment/security/auth0/kubernetes.md | 11 +++- .../deployment/security/azure/bare-metal.md | 11 +++- .../deployment/security/azure/docker.md | 18 +++++- .../deployment/security/azure/kubernetes.md | 11 +++- .../security/custom-oidc/bare-metal.md | 11 +++- .../deployment/security/custom-oidc/docker.md | 14 ++++- .../security/custom-oidc/kubernetes.md | 11 +++- .../deployment/security/google/bare-metal.md | 11 +++- .../deployment/security/google/docker.md | 11 +++- .../deployment/security/google/kubernetes.md | 11 +++- .../security/keycloak/bare-metal.md | 11 +++- .../deployment/security/keycloak/docker.md | 11 +++- .../security/keycloak/kubernetes.md | 11 +++- .../deployment/security/ldap/bare-metal.md | 9 ++- .../v1.5.x/deployment/security/oidc/index.md | 15 +++-- .../deployment/security/okta/bare-metal.md | 38 ++++--------- .../v1.5.x/deployment/security/okta/docker.md | 56 +++---------------- .../deployment/security/okta/kubernetes.md | 9 ++- .../security/one-login/bare-metal.md | 14 ++++- .../deployment/security/one-login/docker.md | 11 +++- .../security/one-login/kubernetes.md | 11 +++- .../v1.5.x/deployment/security/saml/aws.md | 8 +-- .../v1.5.x/deployment/security/saml/azure.md | 8 +-- .../deployment/security/saml/bare-metal.md | 8 +-- .../v1.5.x/deployment/security/saml/docker.md | 8 +-- .../deployment/security/saml/kubernetes.md | 8 +-- 31 files changed, 271 insertions(+), 143 deletions(-) diff --git a/openmetadata-docs/content/v1.5.x/deployment/security/amazon-cognito-sso/bare-metal.md b/openmetadata-docs/content/v1.5.x/deployment/security/amazon-cognito-sso/bare-metal.md index 22f0c61427b..7f250581bc7 100644 --- a/openmetadata-docs/content/v1.5.x/deployment/security/amazon-cognito-sso/bare-metal.md +++ b/openmetadata-docs/content/v1.5.x/deployment/security/amazon-cognito-sso/bare-metal.md @@ -17,12 +17,20 @@ authenticationConfiguration: provider: "aws-cognito" publicKeyUrls: - "https://cognito-idp.us-west-1.amazonaws.com/{User Pool ID}/.well-known/jwks.json" - - "{your domain}/api/v1/system/config/jwks" + - "https://{your domain}/api/v1/system/config/jwks" authority: "https://cognito-idp.us-west-1.amazonaws.com/{User Pool ID}" clientId: "{Client ID}" - callbackUrl: "http://localhost:8585/callback" + callbackUrl: "https://{your domain}/callback" ``` + +{% note %} + +`AUTHENTICATION_PUBLIC_KEYS` and `AUTHENTICATION_CALLBACK_URL` refers to https://{your domain} this is referring to your OpenMetdata installation domain name +and please make sure to correctly put http or https depending on your installation. + +{% /note %} + Then, - Update `authorizerConfiguration` to add login names of the admin users in `adminPrincipals` section as shown below. - Update the `principalDomain` to your company domain name. diff --git a/openmetadata-docs/content/v1.5.x/deployment/security/amazon-cognito-sso/docker.md b/openmetadata-docs/content/v1.5.x/deployment/security/amazon-cognito-sso/docker.md index 83de4f083be..5143665c8b3 100644 --- a/openmetadata-docs/content/v1.5.x/deployment/security/amazon-cognito-sso/docker.md +++ b/openmetadata-docs/content/v1.5.x/deployment/security/amazon-cognito-sso/docker.md @@ -21,12 +21,20 @@ AUTHORIZER_ADMIN_PRINCIPALS=[admin] # Your `name` from name@domain.com AUTHORIZER_PRINCIPAL_DOMAIN=open-metadata.org # Update with your domain AUTHENTICATION_PROVIDER=aws-cognito -AUTHENTICATION_PUBLIC_KEYS=[{Cognito Domain}/{User Pool ID}/.well-known/jwks.json, {your domain}/api/v1/system/config/jwks] # Update with your Cognito Domain and User Pool ID +AUTHENTICATION_PUBLIC_KEYS=[{Cognito Domain}/{User Pool ID}/.well-known/jwks.json, https://{your domain}/api/v1/system/config/jwks] # Update with your Cognito Domain and User Pool ID AUTHENTICATION_AUTHORITY={Cognito Domain}/{User Pool ID} # Update with your Cognito Domain and User Pool ID as follows - https://cognito-idp.us-west-1.amazonaws.com/us-west-1_DL8xfTzj8 AUTHENTICATION_CLIENT_ID={Client ID} # Update with your Client ID -AUTHENTICATION_CALLBACK_URL=http://localhost:8585/callback +AUTHENTICATION_CALLBACK_URL=https://{your domain}/callback ``` +{% note %} + +`AUTHENTICATION_PUBLIC_KEYS` and `AUTHENTICATION_CALLBACK_URL` refers to https://{your domain} this is referring to your OpenMetdata installation domain name +and please make sure to correctly put http or https depending on your installation. + +{% /note %} + + ## 2. Start Docker ```commandline diff --git a/openmetadata-docs/content/v1.5.x/deployment/security/amazon-cognito-sso/kubernetes.md b/openmetadata-docs/content/v1.5.x/deployment/security/amazon-cognito-sso/kubernetes.md index 5978893af45..6113848b44a 100644 --- a/openmetadata-docs/content/v1.5.x/deployment/security/amazon-cognito-sso/kubernetes.md +++ b/openmetadata-docs/content/v1.5.x/deployment/security/amazon-cognito-sso/kubernetes.md @@ -23,11 +23,18 @@ openmetadata: authentication: provider: "aws-cognito" publicKeys: - - "{your domain}/api/v1/system/config/jwks" + - "https://{your domain}/api/v1/system/config/jwks" - "{Cognito Domain}/{User Pool ID}/.well-known/jwks.json" # Update with your Cognito Domain and User Pool ID authority: "{Cognito Domain}/{User Pool ID}" # Update with your Cognito Domain and User Pool ID as follows - https://cognito-idp.us-west-1.amazonaws.com/us-west-1_DL8xfTzj8 clientId: "{Client ID}" # Update with your Client ID - callbackUrl: "http://localhost:8585/callback" + callbackUrl: "https://{your domain}/callback" ``` +{% note %} + +`AUTHENTICATION_PUBLIC_KEYS` and `AUTHENTICATION_CALLBACK_URL` refers to https://{your domain} this is referring to your OpenMetdata installation domain name +and please make sure to correctly put http or https depending on your installation. + +{% /note %} + {% partial file="/v1.5/deployment/configure-ingestion.md" /%} diff --git a/openmetadata-docs/content/v1.5.x/deployment/security/auth0/bare-metal.md b/openmetadata-docs/content/v1.5.x/deployment/security/auth0/bare-metal.md index 853d6cbfbaf..eb0038605eb 100644 --- a/openmetadata-docs/content/v1.5.x/deployment/security/auth0/bare-metal.md +++ b/openmetadata-docs/content/v1.5.x/deployment/security/auth0/bare-metal.md @@ -15,12 +15,20 @@ authenticationConfiguration: provider: "auth0" publicKeyUrls: - "https://parth-panchal.us.auth0.com/.well-known/jwks.json" - - "{your domain}/api/v1/system/config/jwks" #Make sure this URL is always configured to enable JWT tokens + - "https://{your domain}/api/v1/system/config/jwks" #Make sure this URL is always configured to enable JWT tokens authority: "https://parth-panchal.us.auth0.com/" clientId: "{Client ID}" - callbackUrl: "http://localhost:8585/callback" + callbackUrl: "https://{your domain}/callback" ``` +{% note %} + +`AUTHENTICATION_PUBLIC_KEYS` and `AUTHENTICATION_CALLBACK_URL` refers to https://{your domain} this is referring to your OpenMetdata installation domain name +and please make sure to correctly put http or https depending on your installation. + +{% /note %} + + Then, - Update `authorizerConfiguration` to add login names of the admin users in `adminPrincipals` section as shown below. - Update the `principalDomain` to your company domain name. diff --git a/openmetadata-docs/content/v1.5.x/deployment/security/auth0/docker.md b/openmetadata-docs/content/v1.5.x/deployment/security/auth0/docker.md index de79089e55d..638d30a360a 100644 --- a/openmetadata-docs/content/v1.5.x/deployment/security/auth0/docker.md +++ b/openmetadata-docs/content/v1.5.x/deployment/security/auth0/docker.md @@ -21,13 +21,20 @@ AUTHORIZER_ADMIN_PRINCIPALS=[admin] # Your `name` from name@domain.com AUTHORIZER_PRINCIPAL_DOMAIN=open-metadata.org # Update with your domain AUTHENTICATION_PROVIDER=auth0 -AUTHENTICATION_PUBLIC_KEYS=[{Domain}/.well-known/jwks.json,{your domain}/api/v1/system/config/jwks] # Update with your Domain and Make sure this "/api/v1/system/config/jwks" is always configured to enable JWT tokens +AUTHENTICATION_PUBLIC_KEYS=[{Domain}/.well-known/jwks.json,https://{your domain}/api/v1/system/config/jwks] # Update with your Domain and Make sure this "/api/v1/system/config/jwks" is always configured to enable JWT tokens AUTHENTICATION_AUTHORITY={Domain} # Update with your Domain AUTHENTICATION_CLIENT_ID={Client ID} # Update with your Client ID -AUTHENTICATION_CALLBACK_URL=http://localhost:8585/callback +AUTHENTICATION_CALLBACK_URL=https://{your domain}/callback ``` +{% note %} + +`AUTHENTICATION_PUBLIC_KEYS` and `AUTHENTICATION_CALLBACK_URL` refers to https://{your domain} this is referring to your OpenMetdata installation domain name +and please make sure to correctly put http or https depending on your installation. + +{% /note %} + ## 2. Start Docker ```commandline diff --git a/openmetadata-docs/content/v1.5.x/deployment/security/auth0/kubernetes.md b/openmetadata-docs/content/v1.5.x/deployment/security/auth0/kubernetes.md index 53b83b1beea..112bb63a967 100644 --- a/openmetadata-docs/content/v1.5.x/deployment/security/auth0/kubernetes.md +++ b/openmetadata-docs/content/v1.5.x/deployment/security/auth0/kubernetes.md @@ -23,11 +23,18 @@ openmetadata: authentication: provider: "auth0" publicKeys: - - "{your domain}/api/v1/system/config/jwks" # Update with your Domain and Make sure this "/api/v1/system/config/jwks" is always configured to enable JWT tokens + - "https://{your domain}/api/v1/system/config/jwks" # Update with your Domain and Make sure this "/api/v1/system/config/jwks" is always configured to enable JWT tokens - "{Auth0 Domain Name}/.well-known/jwks.json" authority: "https://parth-panchal.us.auth0.com/" clientId: "{Client ID}" - callbackUrl: "http://localhost:8585/callback" + callbackUrl: "https://{your domain}/callback" ``` +{% note %} + +`AUTHENTICATION_PUBLIC_KEYS` and `AUTHENTICATION_CALLBACK_URL` refers to https://{your domain} this is referring to your OpenMetdata installation domain name +and please make sure to correctly put http or https depending on your installation. + +{% /note %} + {% partial file="/v1.5/deployment/configure-ingestion.md" /%} diff --git a/openmetadata-docs/content/v1.5.x/deployment/security/azure/bare-metal.md b/openmetadata-docs/content/v1.5.x/deployment/security/azure/bare-metal.md index 32d17e13246..69d859a50e9 100644 --- a/openmetadata-docs/content/v1.5.x/deployment/security/azure/bare-metal.md +++ b/openmetadata-docs/content/v1.5.x/deployment/security/azure/bare-metal.md @@ -15,10 +15,10 @@ authenticationConfiguration: provider: "azure" publicKeyUrls: - "https://login.microsoftonline.com/common/discovery/keys" - - "{your domain}/api/v1/system/config/jwks" # Update with your Domain and Make sure this "/api/v1/system/config/jwks" is always configured to enable JWT tokens + - "https://{your domain}/api/v1/system/config/jwks" # Update with your Domain and Make sure this "/api/v1/system/config/jwks" is always configured to enable JWT tokens authority: "https://login.microsoftonline.com/{Tenant ID}" clientId: "{Client ID}" # Azure Application - callbackUrl: "http://localhost:8585/callback" + callbackUrl: "https://{your domain}/callback" ``` Then, @@ -27,6 +27,13 @@ Then, {% note %} +`AUTHENTICATION_PUBLIC_KEYS` and `AUTHENTICATION_CALLBACK_URL` refers to https://{your domain} this is referring to your OpenMetdata installation domain name +and please make sure to correctly put http or https depending on your installation. + +{% /note %} + +{% note %} + Altering the order of claims in `jwtPrincipalClaims` may lead to problems when matching a user from a token with an existing user in the system. The mapping process relies on the specific order of claims, so changing it can result in inconsistencies or authentication failures, as the system cannot ensure correct user mapping with a new claim order. {% /note %} diff --git a/openmetadata-docs/content/v1.5.x/deployment/security/azure/docker.md b/openmetadata-docs/content/v1.5.x/deployment/security/azure/docker.md index 5f2ed800a24..ebc9115eb4d 100644 --- a/openmetadata-docs/content/v1.5.x/deployment/security/azure/docker.md +++ b/openmetadata-docs/content/v1.5.x/deployment/security/azure/docker.md @@ -23,14 +23,28 @@ AUTHORIZER_ADMIN_PRINCIPALS=[admin] # Your `name` from name@domain.com AUTHORIZER_PRINCIPAL_DOMAIN=open-metadata.org # Update with your domain AUTHENTICATION_PROVIDER=azure -AUTHENTICATION_PUBLIC_KEYS=[https://login.microsoftonline.com/common/discovery/keys, {your domain}/api/v1/system/config/jwks] # Update with your Domain and Make sure this "/api/v1/system/config/jwks" is always configured to enable JWT tokens +AUTHENTICATION_PUBLIC_KEYS=[https://login.microsoftonline.com/common/discovery/keys, https://{your domain}/api/v1/system/config/jwks] # Update with your Domain and Make sure this "/api/v1/system/config/jwks" is always configured to enable JWT tokens AUTHENTICATION_AUTHORITY=https://login.microsoftonline.com/{Tenant ID} # Update with your Tenant ID AUTHENTICATION_CLIENT_ID={Client ID} # Update with your Client ID of Azure Application -AUTHENTICATION_CALLBACK_URL=http://localhost:8585/callback +AUTHENTICATION_CALLBACK_URL=https://{your domain}/callback ``` {% note %} +`AUTHENTICATION_PUBLIC_KEYS` and `AUTHENTICATION_CALLBACK_URL` refers to https://{your domain} this is referring to your OpenMetdata installation domain name +and please make sure to correctly put http or https depending on your installation. + +{% /note %} + + +{% note %} + +Altering the order of claims in `jwtPrincipalClaims` may lead to problems when matching a user from a token with an existing user in the system. The mapping process relies on the specific order of claims, so changing it can result in inconsistencies or authentication failures, as the system cannot ensure correct user mapping with a new claim order. + +{% /note %} + +{% note %} + Altering the order of claims in `jwtPrincipalClaims` may lead to problems when matching a user from a token with an existing user in the system. The mapping process relies on the specific order of claims, so changing it can result in inconsistencies or authentication failures, as the system cannot ensure correct user mapping with a new claim order. {% /note %} diff --git a/openmetadata-docs/content/v1.5.x/deployment/security/azure/kubernetes.md b/openmetadata-docs/content/v1.5.x/deployment/security/azure/kubernetes.md index 2ef4e3581ca..7441f8e67fa 100644 --- a/openmetadata-docs/content/v1.5.x/deployment/security/azure/kubernetes.md +++ b/openmetadata-docs/content/v1.5.x/deployment/security/azure/kubernetes.md @@ -25,15 +25,22 @@ openmetadata: authentication: provider: "azure" publicKeys: - - "{your domain}/api/v1/system/config/jwks" # Update with your Domain and Make sure this "/api/v1/system/config/jwks" is always configured to enable JWT tokens + - "https://{your domain}/api/v1/system/config/jwks" # Update with your Domain and Make sure this "/api/v1/system/config/jwks" is always configured to enable JWT tokens - "https://login.microsoftonline.com/common/discovery/keys" authority: "https://login.microsoftonline.com/{Tenant ID}" clientId: "{Client ID}" # Azure Application - callbackUrl: "http://localhost:8585/callback" + callbackUrl: "https://{your domain}/callback" ``` {% note %} +`AUTHENTICATION_PUBLIC_KEYS` and `AUTHENTICATION_CALLBACK_URL` refers to https://{your domain} this is referring to your OpenMetdata installation domain name +and please make sure to correctly put http or https depending on your installation. + +{% /note %} + +{% note %} + Altering the order of claims in `jwtPrincipalClaims` may lead to problems when matching a user from a token with an existing user in the system. The mapping process relies on the specific order of claims, so changing it can result in inconsistencies or authentication failures, as the system cannot ensure correct user mapping with a new claim order. {% /note %} diff --git a/openmetadata-docs/content/v1.5.x/deployment/security/custom-oidc/bare-metal.md b/openmetadata-docs/content/v1.5.x/deployment/security/custom-oidc/bare-metal.md index b50227d0475..3d102c57557 100644 --- a/openmetadata-docs/content/v1.5.x/deployment/security/custom-oidc/bare-metal.md +++ b/openmetadata-docs/content/v1.5.x/deployment/security/custom-oidc/bare-metal.md @@ -20,12 +20,19 @@ authenticationConfiguration: providerName: "KeyCloak" publicKeyUrls: - "http://localhost:8080/realms/myrealm/protocol/openid-connect/certs" - - "{your domain}/api/v1/system/config/jwks" # Update with your Domain and Make sure this "/api/v1/system/config/jwks" is always configured to enable JWT tokens + - "https://{your domain}/api/v1/system/config/jwks" # Update with your Domain and Make sure this "/api/v1/system/config/jwks" is always configured to enable JWT tokens authority: "http://localhost:8080/realms/myrealm" clientId: "{client id}" - callbackUrl: "http://localhost:8585/callback" + callbackUrl: "https://{your domain}/callback" ``` +{% note %} + +`AUTHENTICATION_PUBLIC_KEYS` and `AUTHENTICATION_CALLBACK_URL` refers to https://{your domain} this is referring to your OpenMetdata installation domain name +and please make sure to correctly put http or https depending on your installation. + +{% /note %} + Then, - Update `authorizerConfiguration` to add login names of the admin users in `adminPrincipals` section as shown below. - Update the `principalDomain` to your company domain name. diff --git a/openmetadata-docs/content/v1.5.x/deployment/security/custom-oidc/docker.md b/openmetadata-docs/content/v1.5.x/deployment/security/custom-oidc/docker.md index fed5c537c5d..dce511aaebc 100644 --- a/openmetadata-docs/content/v1.5.x/deployment/security/custom-oidc/docker.md +++ b/openmetadata-docs/content/v1.5.x/deployment/security/custom-oidc/docker.md @@ -22,11 +22,19 @@ AUTHORIZER_PRINCIPAL_DOMAIN=open-metadata.org # Update with your domain AUTHENTICATION_PROVIDER=custom-oidc CUSTOM_OIDC_AUTHENTICATION_PROVIDER_NAME=KeyCloak -AUTHENTICATION_PUBLIC_KEYS=[http://localhost:8080/realms/myrealm/protocol/openid-connect/certs, {your domain}/api/v1/system/config/jwks] # Update with your Domain and Make sure this "/api/v1/system/config/jwks" is always configured to enable JWT tokens +AUTHENTICATION_PUBLIC_KEYS=[http://localhost:8080/realms/myrealm/protocol/openid-connect/certs, https://{your domain}/api/v1/system/config/jwks] # Update with your Domain and Make sure this "/api/v1/system/config/jwks" is always configured to enable JWT tokens AUTHENTICATION_AUTHORITY={http://localhost:8080/realms/myrealm} AUTHENTICATION_CLIENT_ID={Client ID} # Update with your Client ID -AUTHENTICATION_CALLBACK_URL=http://localhost:8585/callback -``` +AUTHENTICATION_CALLBACK_URL=https://{your domain}/callback +``` + +{% note %} + +`AUTHENTICATION_PUBLIC_KEYS` and `AUTHENTICATION_CALLBACK_URL` refers to https://{your domain} this is referring to your OpenMetdata installation domain name +and please make sure to correctly put http or https depending on your installation. + +{% /note %} + ## 2. Start Docker diff --git a/openmetadata-docs/content/v1.5.x/deployment/security/custom-oidc/kubernetes.md b/openmetadata-docs/content/v1.5.x/deployment/security/custom-oidc/kubernetes.md index 30b2ba6ade9..e2cddc01693 100644 --- a/openmetadata-docs/content/v1.5.x/deployment/security/custom-oidc/kubernetes.md +++ b/openmetadata-docs/content/v1.5.x/deployment/security/custom-oidc/kubernetes.md @@ -23,13 +23,20 @@ global: authentication: provider: "custom-oidc" publicKeys: - - "{your domain}/api/v1/system/config/jwks" # Update with your Domain and Make sure this "/api/v1/system/config/jwks" is always configured to enable JWT tokens + - "https://{your domain}/api/v1/system/config/jwks" # Update with your Domain and Make sure this "/api/v1/system/config/jwks" is always configured to enable JWT tokens - "http://localhost:8080/realms/myrealm/protocol/openid-connect/certs" authority: "http://localhost:8080/realms/myrealm" clientId: "{Client ID}" - callbackUrl: "http://localhost:8585/callback" + callbackUrl: "https://{your domain}/callback" ``` +{% note %} + +`AUTHENTICATION_PUBLIC_KEYS` and `AUTHENTICATION_CALLBACK_URL` refers to https://{your domain} this is referring to your OpenMetdata installation domain name +and please make sure to correctly put http or https depending on your installation. + +{% /note %} + {% partial file="/v1.5/deployment/configure-ingestion.md" /%} ### Troubleshooting diff --git a/openmetadata-docs/content/v1.5.x/deployment/security/google/bare-metal.md b/openmetadata-docs/content/v1.5.x/deployment/security/google/bare-metal.md index 52bc054c3ff..00e33e71bef 100644 --- a/openmetadata-docs/content/v1.5.x/deployment/security/google/bare-metal.md +++ b/openmetadata-docs/content/v1.5.x/deployment/security/google/bare-metal.md @@ -15,12 +15,19 @@ authenticationConfiguration: provider: "google" publicKeyUrls: - "https://www.googleapis.com/oauth2/v3/certs" - - "{your domain}/api/v1/system/config/jwks" # Update with your Domain and Make sure this "/api/v1/system/config/jwks" is always configured to enable JWT tokens + - "https://{your domain}/api/v1/system/config/jwks" # Update with your Domain and Make sure this "/api/v1/system/config/jwks" is always configured to enable JWT tokens authority: "https://accounts.google.com" clientId: "{client id}" - callbackUrl: "http://localhost:8585/callback" + callbackUrl: "https://{your domain}/callback" ``` +{% note %} + +`AUTHENTICATION_PUBLIC_KEYS` and `AUTHENTICATION_CALLBACK_URL` refers to https://{your domain} this is referring to your OpenMetdata installation domain name +and please make sure to correctly put http or https depending on your installation. + +{% /note %} + Then, - Update `authorizerConfiguration` to add login names of the admin users in `adminPrincipals` section as shown below. - Update the `principalDomain` to your company domain name. diff --git a/openmetadata-docs/content/v1.5.x/deployment/security/google/docker.md b/openmetadata-docs/content/v1.5.x/deployment/security/google/docker.md index 76193b1c7c7..2acbf6e2140 100644 --- a/openmetadata-docs/content/v1.5.x/deployment/security/google/docker.md +++ b/openmetadata-docs/content/v1.5.x/deployment/security/google/docker.md @@ -22,12 +22,19 @@ AUTHORIZER_INGESTION_PRINCIPALS=[ingestion-bot] AUTHORIZER_PRINCIPAL_DOMAIN=open-metadata.org # Update with your domain AUTHENTICATION_PROVIDER=google -AUTHENTICATION_PUBLIC_KEYS=[https://www.googleapis.com/oauth2/v3/certs, {your domain}/api/v1/system/config/jwks] # Update with your Domain and Make sure this "/api/v1/system/config/jwks" is always configured to enable JWT tokens +AUTHENTICATION_PUBLIC_KEYS=[https://www.googleapis.com/oauth2/v3/certs, https://{your domain}/api/v1/system/config/jwks] # Update with your Domain and Make sure this "/api/v1/system/config/jwks" is always configured to enable JWT tokens AUTHENTICATION_AUTHORITY=https://accounts.google.com AUTHENTICATION_CLIENT_ID={Client ID} # Update with your Google SSO Client ID -AUTHENTICATION_CALLBACK_URL=http://localhost:8585/callback +AUTHENTICATION_CALLBACK_URL=https://{your domain}/callback ``` +{% note %} + +`AUTHENTICATION_PUBLIC_KEYS` and `AUTHENTICATION_CALLBACK_URL` refers to https://{your domain} this is referring to your OpenMetdata installation domain name +and please make sure to correctly put http or https depending on your installation. + +{% /note %} + ### 2. Start Docker ```commandline diff --git a/openmetadata-docs/content/v1.5.x/deployment/security/google/kubernetes.md b/openmetadata-docs/content/v1.5.x/deployment/security/google/kubernetes.md index b11c2c446f1..593d71d00b9 100644 --- a/openmetadata-docs/content/v1.5.x/deployment/security/google/kubernetes.md +++ b/openmetadata-docs/content/v1.5.x/deployment/security/google/kubernetes.md @@ -26,10 +26,17 @@ openmetadata: provider: "google" publicKeys: - "https://www.googleapis.com/oauth2/v3/certs" - - "{your domain}/api/v1/system/config/jwks" # Update with your Domain and Make sure this "/api/v1/system/config/jwks" is always configured to enable JWT tokens + - "https://{your domain}/api/v1/system/config/jwks" # Update with your Domain and Make sure this "/api/v1/system/config/jwks" is always configured to enable JWT tokens authority: "https://accounts.google.com" clientId: "{client id}" - callbackUrl: "http://localhost:8585/callback" + callbackUrl: "https://{your domain}/callback" ``` +{% note %} + +`AUTHENTICATION_PUBLIC_KEYS` and `AUTHENTICATION_CALLBACK_URL` refers to https://{your domain} this is referring to your OpenMetdata installation domain name +and please make sure to correctly put http or https depending on your installation. + +{% /note %} + {% partial file="/v1.5/deployment/configure-ingestion.md" /%} diff --git a/openmetadata-docs/content/v1.5.x/deployment/security/keycloak/bare-metal.md b/openmetadata-docs/content/v1.5.x/deployment/security/keycloak/bare-metal.md index 01708e2f17d..7e17676bb27 100644 --- a/openmetadata-docs/content/v1.5.x/deployment/security/keycloak/bare-metal.md +++ b/openmetadata-docs/content/v1.5.x/deployment/security/keycloak/bare-metal.md @@ -21,10 +21,10 @@ authenticationConfiguration: providerName: "KeyCloak" publicKeyUrls: - "http://localhost:8081/auth/realms/data-sec/protocol/openid-connect/certs" - - "{your domain}/api/v1/system/config/jwks" # Update with your Domain and Make sure this "/api/v1/system/config/jwks" is always configured to enable JWT tokens + - "https://{your domain}/api/v1/system/config/jwks" # Update with your Domain and Make sure this "/api/v1/system/config/jwks" is always configured to enable JWT tokens authority: "http://localhost:8081/auth/realms/data-sec" clientId: "open-metadata" - callbackUrl: "http://localhost:8585/callback" + callbackUrl: "https://{your domain}/callback" ``` Then, @@ -33,6 +33,13 @@ Then, {% note %} +`AUTHENTICATION_PUBLIC_KEYS` and `AUTHENTICATION_CALLBACK_URL` refers to https://{your domain} this is referring to your OpenMetdata installation domain name +and please make sure to correctly put http or https depending on your installation. + +{% /note %} + +{% note %} + Altering the order of claims in `jwtPrincipalClaims` may lead to problems when matching a user from a token with an existing user in the system. The mapping process relies on the specific order of claims, so changing it can result in inconsistencies or authentication failures, as the system cannot ensure correct user mapping with a new claim order. {% /note %} diff --git a/openmetadata-docs/content/v1.5.x/deployment/security/keycloak/docker.md b/openmetadata-docs/content/v1.5.x/deployment/security/keycloak/docker.md index b67873ae942..3d386584e26 100644 --- a/openmetadata-docs/content/v1.5.x/deployment/security/keycloak/docker.md +++ b/openmetadata-docs/content/v1.5.x/deployment/security/keycloak/docker.md @@ -24,14 +24,21 @@ AUTHORIZER_PRINCIPAL_DOMAIN=open-metadata.org # Update with your domain AUTHENTICATION_PROVIDER=custom-oidc CUSTOM_OIDC_AUTHENTICATION_PROVIDER_NAME=KeyCloak -AUTHENTICATION_PUBLIC_KEYS=[http://localhost:8081/auth/realms/data-sec/protocol/openid-connect/certs, {your domain}/api/v1/system/config/jwks] # Update with your Domain and Make sure this "/api/v1/system/config/jwks" is always configured to enable JWT tokens +AUTHENTICATION_PUBLIC_KEYS=[http://localhost:8081/auth/realms/data-sec/protocol/openid-connect/certs, https://{your domain}/api/v1/system/config/jwks] # Update with your Domain and Make sure this "/api/v1/system/config/jwks" is always configured to enable JWT tokens AUTHENTICATION_AUTHORITY={http://localhost:8081/auth/realms/data-sec} AUTHENTICATION_CLIENT_ID=open-metadata # Update with your Client ID -AUTHENTICATION_CALLBACK_URL=http://localhost:8585/callback +AUTHENTICATION_CALLBACK_URL=https://{your domain}/callback ``` {% note %} +`AUTHENTICATION_PUBLIC_KEYS` and `AUTHENTICATION_CALLBACK_URL` refers to https://{your domain} this is referring to your OpenMetdata installation domain name +and please make sure to correctly put http or https depending on your installation. + +{% /note %} + +{% note %} + Altering the order of claims in `jwtPrincipalClaims` may lead to problems when matching a user from a token with an existing user in the system. The mapping process relies on the specific order of claims, so changing it can result in inconsistencies or authentication failures, as the system cannot ensure correct user mapping with a new claim order. {% /note %} diff --git a/openmetadata-docs/content/v1.5.x/deployment/security/keycloak/kubernetes.md b/openmetadata-docs/content/v1.5.x/deployment/security/keycloak/kubernetes.md index 0fa98bf628a..d3b2aa6d1f6 100644 --- a/openmetadata-docs/content/v1.5.x/deployment/security/keycloak/kubernetes.md +++ b/openmetadata-docs/content/v1.5.x/deployment/security/keycloak/kubernetes.md @@ -25,15 +25,22 @@ openmetadata: authentication: provider: "custom-oidc" publicKeys: - - "{your domain}/api/v1/system/config/jwks" # Update with your Domain and Make sure this "/api/v1/system/config/jwks" is always configured to enable JWT tokens + - "https://{your domain}/api/v1/system/config/jwks" # Update with your Domain and Make sure this "/api/v1/system/config/jwks" is always configured to enable JWT tokens - "http://localhost:8081/auth/realms/data-sec/protocol/openid-connect/certs" authority: "http://localhost:8081/auth/realms/data-sec" clientId: "{Client ID}" - callbackUrl: "http://localhost:8585/callback" + callbackUrl: "https://{your domain}/callback" ``` {% note %} +`AUTHENTICATION_PUBLIC_KEYS` and `AUTHENTICATION_CALLBACK_URL` refers to https://{your domain} this is referring to your OpenMetdata installation domain name +and please make sure to correctly put http or https depending on your installation. + +{% /note %} + +{% note %} + Altering the order of claims in `jwtPrincipalClaims` may lead to problems when matching a user from a token with an existing user in the system. The mapping process relies on the specific order of claims, so changing it can result in inconsistencies or authentication failures, as the system cannot ensure correct user mapping with a new claim order. {% /note %} diff --git a/openmetadata-docs/content/v1.5.x/deployment/security/ldap/bare-metal.md b/openmetadata-docs/content/v1.5.x/deployment/security/ldap/bare-metal.md index 23a45eca2d2..76b26e136f6 100644 --- a/openmetadata-docs/content/v1.5.x/deployment/security/ldap/bare-metal.md +++ b/openmetadata-docs/content/v1.5.x/deployment/security/ldap/bare-metal.md @@ -15,7 +15,7 @@ The following configuration controls the auth mechanism for OpenMetadata. Update ```yaml authenticationConfiguration: provider: ${AUTHENTICATION_PROVIDER:-ldap} - publicKeyUrls: ${AUTHENTICATION_PUBLIC_KEYS:-[{your domain}/api/v1/system/config/jwks]} # Update with your Domain and Make sure this "/api/v1/system/config/jwks" is always configured to enable JWT tokens + publicKeyUrls: ${AUTHENTICATION_PUBLIC_KEYS:-[https://{your domain}/api/v1/system/config/jwks]} # Update with your Domain and Make sure this "/api/v1/system/config/jwks" is always configured to enable JWT tokens authority: ${AUTHENTICATION_AUTHORITY:-https://accounts.google.com} enableSelfSignup : ${AUTHENTICATION_ENABLE_SELF_SIGNUP:-false} ldapConfiguration: @@ -45,6 +45,13 @@ authenticationConfiguration: examineValidityDates: ${AUTHENTICATION_LDAP_EXAMINE_VALIDITY_DATES:-true} ``` +{% note %} + +`AUTHENTICATION_PUBLIC_KEYS` and `AUTHENTICATION_CALLBACK_URL` refers to https://{your domain} this is referring to your OpenMetdata installation domain name +and please make sure to correctly put http or https depending on your installation. + +{% /note %} + For the LDAP auth we need to set: OpenMetadata Specific Configuration : diff --git a/openmetadata-docs/content/v1.5.x/deployment/security/oidc/index.md b/openmetadata-docs/content/v1.5.x/deployment/security/oidc/index.md index 548ed8cce73..caec46da210 100644 --- a/openmetadata-docs/content/v1.5.x/deployment/security/oidc/index.md +++ b/openmetadata-docs/content/v1.5.x/deployment/security/oidc/index.md @@ -23,7 +23,7 @@ Below are the configuration types to set up the OIDC Authentication with a Confi ```yaml authenticationConfiguration: clientType: ${AUTHENTICATION_CLIENT_TYPE:-confidential} - publicKeyUrls: ${AUTHENTICATION_PUBLIC_KEYS:-[http://localhost:8585/api/v1/system/config/jwks]} + publicKeyUrls: ${AUTHENTICATION_PUBLIC_KEYS:-[https://{your domain}/api/v1/system/config/jwks]} oidcConfiguration: id: ${OIDC_CLIENT_ID:-""} type: ${OIDC_TYPE:-""} # google, azure etc. @@ -34,17 +34,24 @@ Below are the configuration types to set up the OIDC Authentication with a Confi preferredJwsAlgorithm: ${OIDC_PREFERRED_JWS:-"RS256"} responseType: ${OIDC_RESPONSE_TYPE:-"code"} disablePkce: ${OIDC_DISABLE_PKCE:-true} - callbackUrl: ${OIDC_CALLBACK:-"http://localhost:8585/callback"} - serverUrl: ${OIDC_SERVER_URL:-"http://localhost:8585"} + callbackUrl: ${OIDC_CALLBACK:-"https://{your domain}/callback"} + serverUrl: ${OIDC_SERVER_URL:-"https://{your domain}"} clientAuthenticationMethod: ${OIDC_CLIENT_AUTH_METHOD:-"client_secret_post"} tenant: ${OIDC_TENANT:-""} maxClockSkew: ${OIDC_MAX_CLOCK_SKEW:-""} customParams: ${OIDC_CUSTOM_PARAMS:-} ``` +{% note %} + +`AUTHENTICATION_PUBLIC_KEYS` and `AUTHENTICATION_CALLBACK_URL`, `OIDC_SERVER_URL` refers to https://{your domain} this is referring to your OpenMetdata installation domain name +and please make sure to correctly put http or https depending on your installation. + +{% /note %} + # Configuration Parameters ## Public Key Url (publicKeyUrls): -This needs to be updated as per different SSO providers. The default value is `http://localhost:8585/api/v1/system/config/jwks`. This is the URL where the public keys are stored. The public keys are used to verify the signature of the JWT token. +This needs to be updated as per different SSO providers. The default value is `https://{your domain}/api/v1/system/config/jwks`. This is the URL where the public keys are stored. The public keys are used to verify the signature of the JWT token. {%important%} diff --git a/openmetadata-docs/content/v1.5.x/deployment/security/okta/bare-metal.md b/openmetadata-docs/content/v1.5.x/deployment/security/okta/bare-metal.md index 894c2d6b26f..7c5e3aa845c 100644 --- a/openmetadata-docs/content/v1.5.x/deployment/security/okta/bare-metal.md +++ b/openmetadata-docs/content/v1.5.x/deployment/security/okta/bare-metal.md @@ -15,10 +15,10 @@ authenticationConfiguration: provider: "okta" publicKeyUrls: - "{ISSUER_URL}/v1/keys" - - "{your domain}/api/v1/system/config/jwks" # Update with your Domain and Make sure this "/api/v1/system/config/jwks" is always configured to enable JWT tokens + - "https://{your domain}/api/v1/system/config/jwks" # Update with your Domain and Make sure this "/api/v1/system/config/jwks" is always configured to enable JWT tokens authority: "{ISSUER_URL}" clientId: "{CLIENT_ID - SPA APP}" - callbackUrl: "http://localhost:8585/callback" + callbackUrl: "https://{your domain}/callback" ``` Then, @@ -36,34 +36,10 @@ authorizerConfiguration: principalDomain: "open-metadata.org" ``` -In `0.12.1` the `className` and `containerRequestFilter` must replace `org.openmetadata.catalog` by `org.openmetadata.service`. - -Finally, update the Airflow information: - -**Before 0.12.1** - -```yaml -airflowConfiguration: - apiEndpoint: ${AIRFLOW_HOST:-http://localhost:8080} - username: ${AIRFLOW_USERNAME:-admin} - password: ${AIRFLOW_PASSWORD:-admin} - metadataApiEndpoint: ${SERVER_HOST_API_URL:-http://localhost:8585/api} - authProvider: okta - authConfig: - okta: - clientId: ${OM_AUTH_AIRFLOW_OKTA_CLIENT_ID:-""} - orgURL: ${OM_AUTH_AIRFLOW_OKTA_ORGANIZATION_URL:-""} - privateKey: ${OM_AUTH_AIRFLOW_OKTA_PRIVATE_KEY:-""} - email: ${OM_AUTH_AIRFLOW_OKTA_SA_EMAIL:-""} - scopes: ${OM_AUTH_AIRFLOW_OKTA_SCOPES:-[]} -``` - -**After 0.12.1** - ```yaml pipelineServiceClientConfiguration: apiEndpoint: ${PIPELINE_SERVICE_CLIENT_ENDPOINT:-http://localhost:8080} - metadataApiEndpoint: ${SERVER_HOST_API_URL:-http://localhost:8585/api} + metadataApiEndpoint: ${SERVER_HOST_API_URL:-https://{your domain}/api} ingestionIpInfoEnabled: ${PIPELINE_SERVICE_IP_INFO_ENABLED:-false} hostIp: ${PIPELINE_SERVICE_CLIENT_HOST_IP:-""} healthCheckInterval: ${PIPELINE_SERVICE_CLIENT_HEALTH_CHECK_INTERVAL:-300} @@ -79,7 +55,15 @@ pipelineServiceClientConfiguration: # If we need to use SSL to reach Airflow truststorePath: ${AIRFLOW_TRUST_STORE_PATH:-""} truststorePassword: ${AIRFLOW_TRUST_STORE_PASSWORD:-""} + ``` +{% note %} + +`AUTHENTICATION_PUBLIC_KEYS` and `AUTHENTICATION_CALLBACK_URL` refers to https://{your domain} this is referring to your OpenMetdata installation domain name +and please make sure to correctly put http or https depending on your installation. + +{% /note %} + **Note:** Follow [this](/developers/bots) guide to configure the `ingestion-bot` credentials for ingesting data from Airflow. \ No newline at end of file diff --git a/openmetadata-docs/content/v1.5.x/deployment/security/okta/docker.md b/openmetadata-docs/content/v1.5.x/deployment/security/okta/docker.md index a9e86f9e262..39980340a3a 100644 --- a/openmetadata-docs/content/v1.5.x/deployment/security/okta/docker.md +++ b/openmetadata-docs/content/v1.5.x/deployment/security/okta/docker.md @@ -15,51 +15,6 @@ generated when setting up the account. Note: Make sure to add the Ingestion Client ID for the Service application in `AUTHORIZER_INGESTION_PRINCIPALS`. This can be found in Okta -> Applications -> Applications, Refer to Step 3 for `Creating Service Application`. -### 1.1 Before 0.12.1 - -OM_AUTH_AIRFLOW_OKTA_PRIVATE_KEY to be set as per the example below using the escape sequence for quotes. - -```shell -# OpenMetadata Server Authentication Configuration -AUTHORIZER_CLASS_NAME=org.openmetadata.service.security.DefaultAuthorizer -AUTHORIZER_REQUEST_FILTER=org.openmetadata.service.security.JwtFilter -AUTHORIZER_ADMIN_PRINCIPALS=[admin] # Your `name` from name@domain.com -AUTHORIZER_INGESTION_PRINCIPALS=[ingestion-bot, ] -AUTHORIZER_PRINCIPAL_DOMAIN=open-metadata.org # Update with your domain - -AUTHENTICATION_PROVIDER=okta -AUTHENTICATION_PUBLIC_KEYS=[{ISSUER_URL}/v1/keys, {your domain}/api/v1/system/config/jwks] # Update with your Domain and Make sure this "/api/v1/system/config/jwks" is always configured to enable JWT tokens -AUTHENTICATION_AUTHORITY={ISSUER_URL} # Update with your Issuer URL -AUTHENTICATION_CLIENT_ID={CLIENT_ID - SPA APP} # Update with your Client ID -AUTHENTICATION_CALLBACK_URL=http://localhost:8585/callback - -# Airflow Configuration -AIRFLOW_AUTH_PROVIDER=okta -OM_AUTH_AIRFLOW_OKTA_CLIENT_ID={OM_AUTH_AIRFLOW_OKTA_CLIENT_ID:-""} -OM_AUTH_AIRFLOW_OKTA_ORGANIZATION_URL={OM_AUTH_AIRFLOW_OKTA_ORGANIZATION_URL:-""} -OM_AUTH_AIRFLOW_OKTA_PRIVATE_KEY=\'{"p":"lorem","kty":"RSA","q":"ipsum","d":"dolor","e":"AQAB","use":"sig","kid":"0oa5p908cltOc4fsl5d7","qi":"lorem","dp":"lorem","alg":"RS256","dq":"ipsum","n":"dolor"}\' -OM_AUTH_AIRFLOW_OKTA_SA_EMAIL={OM_AUTH_AIRFLOW_OKTA_SA_EMAIL:-""} -OM_AUTH_AIRFLOW_OKTA_SCOPES={OM_AUTH_AIRFLOW_OKTA_SCOPES:-[]} -``` - -### 1.2 After 0.12.1 - -```shell -# OpenMetadata Server Authentication Configuration -AUTHORIZER_CLASS_NAME=org.openmetadata.service.security.DefaultAuthorizer -AUTHORIZER_REQUEST_FILTER=org.openmetadata.service.security.JwtFilter -AUTHORIZER_ADMIN_PRINCIPALS=[admin] # Your `name` from name@domain.com -AUTHORIZER_INGESTION_PRINCIPALS=[ingestion-bot, ] -AUTHORIZER_PRINCIPAL_DOMAIN=open-metadata.org # Update with your domain - -AUTHENTICATION_PROVIDER=okta -AUTHENTICATION_PUBLIC_KEYS={ISSUER_URL}/v1/keys # Update with your Issuer URL -AUTHENTICATION_AUTHORITY={ISSUER_URL} # Update with your Issuer URL -AUTHENTICATION_CLIENT_ID={CLIENT_ID - SPA APP} # Update with your Client ID -AUTHENTICATION_CALLBACK_URL=http://localhost:8585/callback -``` - -### 1.3 After 0.13.0 ```shell # OpenMetadata Server Authentication Configuration @@ -69,12 +24,19 @@ AUTHORIZER_ADMIN_PRINCIPALS=[admin] # Your `name` from name@domain.com AUTHORIZER_PRINCIPAL_DOMAIN=open-metadata.org # Update with your domain AUTHENTICATION_PROVIDER=okta -AUTHENTICATION_PUBLIC_KEYS={ISSUER_URL}/v1/keys # Update with your Issuer URL +AUTHENTICATION_PUBLIC_KEYS=[{ISSUER_URL}/v1/keys, https://{your domain}/api/v1/system/config/jwks] # Update with your Issuer URL AUTHENTICATION_AUTHORITY={ISSUER_URL} # Update with your Issuer URL AUTHENTICATION_CLIENT_ID={CLIENT_ID - SPA APP} # Update with your Client ID -AUTHENTICATION_CALLBACK_URL=http://localhost:8585/callback +AUTHENTICATION_CALLBACK_URL=https://{your domain}/callback ``` +{% note %} + +`AUTHENTICATION_PUBLIC_KEYS` and `AUTHENTICATION_CALLBACK_URL` refers to https://{your domain} this is referring to your OpenMetdata installation domain name +and please make sure to correctly put http or https depending on your installation. + +{% /note %} + **Note:** Follow [this](/developers/bots) guide to configure the `ingestion-bot` credentials for ingesting data from Airflow. diff --git a/openmetadata-docs/content/v1.5.x/deployment/security/okta/kubernetes.md b/openmetadata-docs/content/v1.5.x/deployment/security/okta/kubernetes.md index 3e662d780a1..3f6cc60814b 100644 --- a/openmetadata-docs/content/v1.5.x/deployment/security/okta/kubernetes.md +++ b/openmetadata-docs/content/v1.5.x/deployment/security/okta/kubernetes.md @@ -30,7 +30,14 @@ openmetadata: - "{ISSUER_URL}/v1/keys" authority: "{ISSUER_URL}" clientId: "{CLIENT_ID - SPA APP}" - callbackUrl: "http://localhost:8585/callback" + callbackUrl: "https://{your domain}/callback" ``` +{% note %} + +`AUTHENTICATION_PUBLIC_KEYS` and `AUTHENTICATION_CALLBACK_URL` refers to https://{your domain} this is referring to your OpenMetdata installation domain name +and please make sure to correctly put http or https depending on your installation. + +{% /note %} + {% partial file="/v1.5/deployment/configure-ingestion.md" /%} diff --git a/openmetadata-docs/content/v1.5.x/deployment/security/one-login/bare-metal.md b/openmetadata-docs/content/v1.5.x/deployment/security/one-login/bare-metal.md index b44ce340cac..5bde0b6941d 100644 --- a/openmetadata-docs/content/v1.5.x/deployment/security/one-login/bare-metal.md +++ b/openmetadata-docs/content/v1.5.x/deployment/security/one-login/bare-metal.md @@ -20,12 +20,20 @@ authenticationConfiguration: providerName: "OneLogin" publicKeyUrls: - "{IssuerUrl}/certs" - - "{your domain}/api/v1/system/config/jwks" # Update with your Domain and Make sure this "/api/v1/system/config/jwks" is always configured to enable JWT tokens + - "https://{your domain}/api/v1/system/config/jwks" # Update with your Domain and Make sure this "/api/v1/system/config/jwks" is always configured to enable JWT tokens authority: "{IssuerUrl}" clientId: "{client id}" - callbackUrl: "http://localhost:8585/callback" + callbackUrl: "https://{your domain}/callback" ``` +{% note %} + +`AUTHENTICATION_PUBLIC_KEYS` and `AUTHENTICATION_CALLBACK_URL` refers to https://{your domain} this is referring to your OpenMetdata installation domain name +and please make sure to correctly put http or https depending on your installation. + +{% /note %} + + Then, - Update `authorizerConfiguration` to add login names of the admin users in `adminPrincipals` section as shown below. - Update the `principalDomain` to your company domain name. @@ -41,4 +49,6 @@ authorizerConfiguration: principalDomain: "open-metadata.org" ``` + + {% partial file="/v1.5/deployment/configure-ingestion.md" /%} diff --git a/openmetadata-docs/content/v1.5.x/deployment/security/one-login/docker.md b/openmetadata-docs/content/v1.5.x/deployment/security/one-login/docker.md index 0eb86624664..cad6bc0f15c 100644 --- a/openmetadata-docs/content/v1.5.x/deployment/security/one-login/docker.md +++ b/openmetadata-docs/content/v1.5.x/deployment/security/one-login/docker.md @@ -21,12 +21,19 @@ AUTHORIZER_ADMIN_PRINCIPALS=[admin] # Your `name` from name@domain.com AUTHORIZER_PRINCIPAL_DOMAIN=open-metadata.org # Update with your domain AUTHENTICATION_PROVIDER=custom-oidc -AUTHENTICATION_PUBLIC_KEYS=[{public key url}, {your domain}/api/v1/system/config/jwks] # Update with your Domain and Make sure this "/api/v1/system/config/jwks" is always configured to enable JWT tokens +AUTHENTICATION_PUBLIC_KEYS=[{public key url}, https://{your domain}/api/v1/system/config/jwks] # Update with your Domain and Make sure this "/api/v1/system/config/jwks" is always configured to enable JWT tokens AUTHENTICATION_AUTHORITY={issuer url} # Update with your Issuer URL AUTHENTICATION_CLIENT_ID={Client ID} # Update with your Client ID -AUTHENTICATION_CALLBACK_URL=http://localhost:8585/callback +AUTHENTICATION_CALLBACK_URL=https://{your domain}/callback ``` +{% note %} + +`AUTHENTICATION_PUBLIC_KEYS` and `AUTHENTICATION_CALLBACK_URL` refers to https://{your domain} this is referring to your OpenMetdata installation domain name +and please make sure to correctly put http or https depending on your installation. + +{% /note %} + ## 2. Start Docker ```commandline diff --git a/openmetadata-docs/content/v1.5.x/deployment/security/one-login/kubernetes.md b/openmetadata-docs/content/v1.5.x/deployment/security/one-login/kubernetes.md index d68a5bd6c20..c5f9349b3cc 100644 --- a/openmetadata-docs/content/v1.5.x/deployment/security/one-login/kubernetes.md +++ b/openmetadata-docs/content/v1.5.x/deployment/security/one-login/kubernetes.md @@ -24,11 +24,18 @@ openmetadata: authentication: provider: "custom-oidc" publicKeys: - - "{your domain}/api/v1/system/config/jwks" # Update with your Domain and Make sure this "/api/v1/system/config/jwks" is always configured to enable JWT tokens + - "https://{your domain}/api/v1/system/config/jwks" # Update with your Domain and Make sure this "/api/v1/system/config/jwks" is always configured to enable JWT tokens - "{IssuerUrl}/certs" authority: "{IssuerUrl}" clientId: "{client id}" - callbackUrl: "http://localhost:8585/callback" + callbackUrl: "https://{your domain}/callback" ``` +{% note %} + +`AUTHENTICATION_PUBLIC_KEYS` and `AUTHENTICATION_CALLBACK_URL` refers to https://{your domain} this is referring to your OpenMetdata installation domain name +and please make sure to correctly put http or https depending on your installation. + +{% /note %} + {% partial file="/v1.5/deployment/configure-ingestion.md" /%} diff --git a/openmetadata-docs/content/v1.5.x/deployment/security/saml/aws.md b/openmetadata-docs/content/v1.5.x/deployment/security/saml/aws.md index 8603a2a915b..b601acedb23 100644 --- a/openmetadata-docs/content/v1.5.x/deployment/security/saml/aws.md +++ b/openmetadata-docs/content/v1.5.x/deployment/security/saml/aws.md @@ -61,13 +61,13 @@ Security requirements for your **production** environment: entityId: ${SAML_IDP_ENTITY_ID:-"https://mocksaml.com/api/saml/sso"} ssoLoginUrl: ${SAML_IDP_SSO_LOGIN_URL:-"https://saml.example.com/entityid"} idpX509Certificate: ${SAML_IDP_CERTIFICATE:-""} - authorityUrl: ${SAML_AUTHORITY_URL:-"http://localhost:8585/api/v1/saml/login"} + authorityUrl: ${SAML_AUTHORITY_URL:-"https://{your domain}/api/v1/saml/login"} nameId: ${SAML_IDP_NAME_ID:-"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"} sp: - entityId: ${SAML_SP_ENTITY_ID:-"http://localhost:8585/api/v1/saml/acs"} - acs: ${SAML_SP_ACS:-"http://localhost:8585/api/v1/saml/acs"} + entityId: ${SAML_SP_ENTITY_ID:-"https://{your domain}/api/v1/saml/acs"} + acs: ${SAML_SP_ACS:-"https://{your domain}/api/v1/saml/acs"} spX509Certificate: ${SAML_SP_CERTIFICATE:-""} - callback: ${SAML_SP_CALLBACK:-"http://localhost:8585/saml/callback"} + callback: ${SAML_SP_CALLBACK:-"https://{your domain}/saml/callback"} security: strictMode: ${SAML_STRICT_MODE:-false} tokenValidity: ${SAML_SP_TOKEN_VALIDITY:-"3600"} diff --git a/openmetadata-docs/content/v1.5.x/deployment/security/saml/azure.md b/openmetadata-docs/content/v1.5.x/deployment/security/saml/azure.md index 5592724270c..925e2117b9f 100644 --- a/openmetadata-docs/content/v1.5.x/deployment/security/saml/azure.md +++ b/openmetadata-docs/content/v1.5.x/deployment/security/saml/azure.md @@ -86,13 +86,13 @@ openssl x509 -in saml.crt -out samlCER.cer -outform DER entityId: ${SAML_IDP_ENTITY_ID:-"https://mocksaml.com/api/saml/sso"} ssoLoginUrl: ${SAML_IDP_SSO_LOGIN_URL:-"https://saml.example.com/entityid"} idpX509Certificate: ${SAML_IDP_CERTIFICATE:-""} - authorityUrl: ${SAML_AUTHORITY_URL:-"http://localhost:8585/api/v1/saml/login"} + authorityUrl: ${SAML_AUTHORITY_URL:-"https://{your domain}/api/v1/saml/login"} nameId: ${SAML_IDP_NAME_ID:-"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"} sp: - entityId: ${SAML_SP_ENTITY_ID:-"http://localhost:8585/api/v1/saml/acs"} - acs: ${SAML_SP_ACS:-"http://localhost:8585/api/v1/saml/acs"} + entityId: ${SAML_SP_ENTITY_ID:-"https://{your domain}/api/v1/saml/acs"} + acs: ${SAML_SP_ACS:-"https://{your domain}/api/v1/saml/acs"} spX509Certificate: ${SAML_SP_CERTIFICATE:-""} - callback: ${SAML_SP_CALLBACK:-"http://localhost:8585/saml/callback"} + callback: ${SAML_SP_CALLBACK:-"https://{your domain}/saml/callback"} security: strictMode: ${SAML_STRICT_MODE:-false} tokenValidity: ${SAML_SP_TOKEN_VALIDITY:-"3600"} diff --git a/openmetadata-docs/content/v1.5.x/deployment/security/saml/bare-metal.md b/openmetadata-docs/content/v1.5.x/deployment/security/saml/bare-metal.md index 433b2d93b5d..89f071feb45 100644 --- a/openmetadata-docs/content/v1.5.x/deployment/security/saml/bare-metal.md +++ b/openmetadata-docs/content/v1.5.x/deployment/security/saml/bare-metal.md @@ -19,7 +19,7 @@ are divided into the following three sections:- entityId: ${SAML_IDP_ENTITY_ID:-"https://mocksaml.com/api/saml/sso"} ssoLoginUrl: ${SAML_IDP_SSO_LOGIN_URL:-"https://saml.example.com/entityid"} idpX509Certificate: ${SAML_IDP_CERTIFICATE:-""} - authorityUrl: ${SAML_AUTHORITY_URL:-"http://localhost:8585/api/v1/saml/login"} + authorityUrl: ${SAML_AUTHORITY_URL:-"https://{your domain}/api/v1/saml/login"} nameId: ${SAML_IDP_NAME_ID:-"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"} ``` @@ -27,10 +27,10 @@ are divided into the following three sections:- ```yaml sp: - entityId: ${SAML_SP_ENTITY_ID:-"http://localhost:8585/api/v1/saml/acs"} - acs: ${SAML_SP_ACS:-"http://localhost:8585/api/v1/saml/acs"} + entityId: ${SAML_SP_ENTITY_ID:-"https://{your domain}/api/v1/saml/acs"} + acs: ${SAML_SP_ACS:-"https://{your domain}/api/v1/saml/acs"} spX509Certificate: ${SAML_SP_CERTIFICATE:-""} - callback: ${SAML_SP_CALLBACK:-"http://localhost:8585/saml/callback"} + callback: ${SAML_SP_CALLBACK:-"https://{your domain}/saml/callback"} ``` - Security Config diff --git a/openmetadata-docs/content/v1.5.x/deployment/security/saml/docker.md b/openmetadata-docs/content/v1.5.x/deployment/security/saml/docker.md index ae143fbfc32..9d6d4a54bcb 100644 --- a/openmetadata-docs/content/v1.5.x/deployment/security/saml/docker.md +++ b/openmetadata-docs/content/v1.5.x/deployment/security/saml/docker.md @@ -26,14 +26,14 @@ If you are using an environment variable from an external file in our setup, and SAML_IDP_ENTITY_ID=https://mocksaml.com/api/saml/sso SAML_IDP_SSO_LOGIN_URL=https://saml.example.com/entityid SAML_IDP_CERTIFICATE=/path/to/the/certificate -SAML_AUTHORITY_URL=http://localhost:8585/api/v1/saml/login +SAML_AUTHORITY_URL=https://{your domain}/api/v1/saml/login SAML_IDP_NAME_ID=urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress # OpenMetadata Server SP Configuration -SAML_SP_ENTITY_ID=http://localhost:8585/api/v1/saml/acs -SAML_SP_ACS=http://localhost:8585/api/v1/saml/acs +SAML_SP_ENTITY_ID=https://{your domain}/api/v1/saml/acs +SAML_SP_ACS=https://{your domain}/api/v1/saml/acs SAML_SP_CERTIFICATE=/path/to/the/certificate -SAML_SP_CALLBACK=http://localhost:8585/saml/callback +SAML_SP_CALLBACK=https://{your domain}/saml/callback # OpenMetadata Server Security Configuration SAML_STRICT_MODE=false diff --git a/openmetadata-docs/content/v1.5.x/deployment/security/saml/kubernetes.md b/openmetadata-docs/content/v1.5.x/deployment/security/saml/kubernetes.md index 3b540c21d32..2350883f93e 100644 --- a/openmetadata-docs/content/v1.5.x/deployment/security/saml/kubernetes.md +++ b/openmetadata-docs/content/v1.5.x/deployment/security/saml/kubernetes.md @@ -17,14 +17,14 @@ openmetadata: entityId: ${SAML_IDP_ENTITY_ID:-"https://mocksaml.com/api/saml/sso"} ssoLoginUrl: ${SAML_IDP_SSO_LOGIN_URL:-"https://saml.example.com/entityid"} idpX509Certificate: ${SAML_IDP_CERTIFICATE:-""} - authorityUrl: ${SAML_AUTHORITY_URL:-"http://localhost:8585/api/v1/saml/login"} + authorityUrl: ${SAML_AUTHORITY_URL:-"https://{your domain}/api/v1/saml/login"} nameId: ${SAML_IDP_NAME_ID:-"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"} sp: - entityId: ${SAML_SP_ENTITY_ID:-"http://localhost:8585/api/v1/saml/acs"} - acs: ${SAML_SP_ACS:-"http://localhost:8585/api/v1/saml/acs"} + entityId: ${SAML_SP_ENTITY_ID:-"https://{your domain}/api/v1/saml/acs"} + acs: ${SAML_SP_ACS:-"https://{your domain}/api/v1/saml/acs"} spX509Certificate: ${SAML_SP_CERTIFICATE:-""} - callback: ${SAML_SP_CALLBACK:-"http://localhost:8585/saml/callback"} + callback: ${SAML_SP_CALLBACK:-"https://{your domain}/saml/callback"} security: strictMode: ${SAML_STRICT_MODE:-false}