Add One Login docs (#6477)

openmetadata-docs/content/deployment/security/auth0/index.md

@@ -51,7 +51,7 @@ Follow the sections in this guide to set up Auth0 SSO.
 
 <Collapse title="Create Service Account">
 
-This section will guide to to create the Ingestion Bot service account.
+This section will guide to create the Ingestion Bot service account.
 
 ### Step 1: Enable Client-Credential
 

openmetadata-docs/content/deployment/security/custom-oidc/index.md

@@ -32,7 +32,7 @@ After the applying these steps, you can update the configuration of your deploym
     bold="Docker Security"
     href="/deployment/security/custom-oidc/docker"
   >
-    Configure Auth0 SSO for your Docker Deployment.
+    Configure Custom OIDC SSO for your Docker Deployment.
   </InlineCallout>
   <InlineCallout
     color="violet-70"
@@ -40,7 +40,7 @@ After the applying these steps, you can update the configuration of your deploym
     bold="Bare Metal Security"
     href="/deployment/security/custom-oidc/bare-metal"
   >
-    Configure Auth0 SSO for your Bare Metal Deployment.
+    Configure Custom OIDC SSO for your Bare Metal Deployment.
   </InlineCallout>
   <InlineCallout
     color="violet-70"
@@ -48,7 +48,7 @@ After the applying these steps, you can update the configuration of your deploym
     bold="Kubernetes Security"
     href="/deployment/security/custom-oidc/kubernetes"
   >
-    Configure Auth0 SSO for your Kubernetes Deployment.
+    Configure Custom OIDC SSO for your Kubernetes Deployment.
   </InlineCallout>
 </InlineCalloutContainer>
 
@@ -63,7 +63,7 @@ When setting up the YAML config for the connector, update the `workflowConfig` a
 workflowConfig:
   openMetadataServerConfig:
     hostPort: 'http://localhost:8585/api'
-    authProvider: auth0
+    authProvider: custom-oidc
     securityConfig:
       clientId: '{your_client_id}'
       secretKey: '{your_client_secret}'

openmetadata-docs/content/deployment/security/index.md

@@ -63,4 +63,12 @@ please follow the [Quickstart](/quick-start/local-deployment) guide.
   >
     Configure Okta SSO to access the UI and APIs
   </InlineCallout>
+  <InlineCallout
+    color="violet-70"
+    bold="One Login SSO"
+    icon="add_moderator"
+    href="/deployment/security/one-login"
+  >
+    Configure One Login SSO to access the UI and APIs
+  </InlineCallout>
 </InlineCalloutContainer>

openmetadata-docs/content/deployment/security/one-login/bare-metal.md

@@ -0,0 +1,58 @@
+---
+title: One Login SSO for Bare Metal
+slug: /deployment/security/one-login/bare-metal
+---
+
+# One Login SSO for Bare Metal
+
+## Update conf/openmetadata.yaml
+
+Once the `Client Id` and `Client Secret` are generated add the `Client Id` in `openmetadata.yaml` file in `client_id` field.
+
+Update the providerName config to the name you want to display in the `Sign In` button in the UI. 
+For example, with the following configuration with `providerName` set to `One Login`, the users will see `Sign In with One Login SSO` 
+in the `Sign In` page of the OpenMetadata UI.
+
+```yaml
+authenticationConfiguration:
+  provider: "custom-oidc"
+  providerName: "One Login"
+  publicKeyUrls: 
+    - "{IssuerUrl}/certs"
+  authority: "{IssuerUrl}"
+  clientId: "{client id}"
+  callbackUrl: "http://localhost:8585/callback"
+```
+
+Then, 
+- Update `authorizerConfiguration` to add login names of the admin users in `adminPrincipals` section as shown below.
+- Update the `principalDomain` to your company domain name.
+
+```yaml
+authorizerConfiguration:
+  className: "org.openmetadata.catalog.security.DefaultAuthorizer"
+  # JWT Filter
+  containerRequestFilter: "org.openmetadata.catalog.security.JwtFilter"
+  adminPrincipals:
+    - "user1"
+    - "user2"
+  botPrincipals:
+    - "ingestion-bot"
+  principalDomain: "open-metadata.org"
+```
+
+Finally, update the Airflow information with the Secret Key
+
+```yaml
+airflowConfiguration:
+  apiEndpoint: ${AIRFLOW_HOST:-http://localhost:8080}
+  username: ${AIRFLOW_USERNAME:-admin}
+  password: ${AIRFLOW_PASSWORD:-admin}
+  metadataApiEndpoint: ${SERVER_HOST_API_URL:-http://localhost:8585/api}
+  authProvider: custom-oidc
+  authConfig:
+    customOidc:
+      clientId: ${OM_AUTH_AIRFLOW_CUSTOM_OIDC_CLIENT_ID:-""}
+      secretKey: ${OM_AUTH_AIRFLOW_CUSTOM_OIDC_SECRET_KEY_PATH:-""}
+      tokenEndpoint: ${OM_AUTH_AIRFLOW_CUSTOM_OIDC_TOKEN_ENDPOINT_URL:-""}
+```

openmetadata-docs/content/deployment/security/one-login/docker.md

@@ -0,0 +1,43 @@
+---
+title: One Login SSO for Docker
+slug: /deployment/security/one-login/docker
+---
+
+# One Login SSO for Docker
+
+To enable security for the Docker deployment, follow the next steps:
+
+## 1. Create an .env file
+
+Create an `openmetadata_onelogin.env` file and add the following contents as an example. Use the information
+generated when setting up the account.
+
+```yaml
+# OpenMetadata Server Authentication Configuration
+AUTHORIZER_CLASS_NAME: org.openmetadata.catalog.security.DefaultAuthorizer
+AUTHORIZER_REQUEST_FILTER: org.openmetadata.catalog.security.JwtFilter
+AUTHORIZER_ADMIN_PRINCIPALS: [ admin ]  # Your `name` from name@domain.com
+AUTHORIZER_INGESTION_PRINCIPALS: [ ingestion-bot ]
+AUTHORIZER_PRINCIPAL_DOMAIN: open-metadata.org
+
+AUTHENTICATION_PROVIDER: custom-oidc
+AUTHENTICATION_PUBLIC_KEYS:
+  - {public key url}
+AUTHENTICATION_AUTHORITY: {issuer url}
+AUTHENTICATION_CLIENT_ID: {Client ID}
+AUTHENTICATION_CALLBACK_URL: http://localhost:8585/callback
+
+# Airflow Configuration
+AIRFLOW_AUTH_PROVIDER: custom-oidc
+OM_AUTH_AIRFLOW_CUSTOM_OIDC_CLIENT_ID: Client Id
+# Make sure to add the path where the file is saved in the Airflow Volume
+# It needs to be reachable locally by the container
+OM_AUTH_AIRFLOW_CUSTOM_OIDC_SECRET_KEY_PATH: Secret Key Path
+OM_AUTH_AIRFLOW_CUSTOM_OIDC_TOKEN_ENDPOINT_URL: endpoint
+```
+
+## 2. Start Docker
+
+```commandline
+docker compose --env-file ~/openmetadata_onelogin.env up -d
+```

openmetadata-docs/content/deployment/security/one-login/index.md

@@ -0,0 +1,104 @@
+---
+title: One Login SSO
+slug: /deployment/security/one-login
+---
+
+# One Login SSO
+
+Follow the sections in this guide to set up One Login SSO.
+
+<Collapse title="Create Server Credentials">
+
+### Step 1: Configure a new Application
+
+- Login to [OneLogin](https://www.onelogin.com/) as an administrator and click on Applications
+
+<Image src="/images/deployment/security/one-login/create-server-credentials-1.png" alt="create-account"/>
+
+- Click on the `Add App` button and search for `openid connect`
+- Select the `OpenId Connect (OIDC)` app
+
+<Image src="/images/deployment/security/one-login/create-server-credentials-2.png" alt="create-account"/>
+
+- Change the Display Name of the app to `Open Metadata` and click `Save`
+
+<Image src="/images/deployment/security/one-login/create-server-credentials-3.png" alt="create-account"/>
+
+- Configure the login Url (`http(s)://<domain>/signin`) and redirect URI (`http(s)://<domain>/callback`) as shown below
+
+<Image src="/images/deployment/security/one-login/create-server-credentials-4.png" alt="create-account"/>
+
+- Configure the users in the organization that can access OpenMetadata app by clicking on the `Users`
+
+<Image src="/images/deployment/security/one-login/create-server-credentials-5.png" alt="create-account"/>
+
+- Click on "SSO" and select `None (PKCE)` for Token Endpoint.
+
+<Image src="/images/deployment/security/one-login/create-server-credentials-6.png" alt="create-account"/>
+
+### Step 2: Where to find the Credentials
+
+- Go to "SSO" and copy the Client ID 
+
+<Image src="/images/deployment/security/one-login/create-server-credentials-7.png" alt="create-account"/>
+
+- Copy the Issuer URL
+
+</Collapse>
+
+<Collapse title="Create Service Account">
+
+### Create Secret Key
+
+- Navigate to "SSO" settings of the application and click on `Show client secret` to copy the secret key
+
+<Image src="/images/deployment/security/one-login/create-service-account.png" alt="create-account"/>
+
+</Collapse>
+
+After the applying these steps, you can update the configuration of your deployment:
+
+<InlineCalloutContainer>
+  <InlineCallout
+    color="violet-70"
+    icon="celebration"
+    bold="Docker Security"
+    href="/deployment/security/one-login/docker"
+  >
+    Configure One Login SSO for your Docker Deployment.
+  </InlineCallout>
+  <InlineCallout
+    color="violet-70"
+    icon="storage"
+    bold="Bare Metal Security"
+    href="/deployment/security/one-login/bare-metal"
+  >
+    Configure One Login SSO for your Bare Metal Deployment.
+  </InlineCallout>
+  <InlineCallout
+    color="violet-70"
+    icon="fit_screen"
+    bold="Kubernetes Security"
+    href="/deployment/security/one-login/kubernetes"
+  >
+    Configure One Login SSO for your Kubernetes Deployment.
+  </InlineCallout>
+</InlineCalloutContainer>
+
+## Configure Ingestion
+
+After everything has been set up, you will need to configure your workflows if you are running them via the 
+`metadata` CLI or with any custom scheduler.
+
+When setting up the YAML config for the connector, update the `workflowConfig` as follows:
+
+```yaml
+workflowConfig:
+  openMetadataServerConfig:
+    hostPort: 'http://localhost:8585/api'
+    authProvider: custom-oidc
+    securityConfig:
+      clientId: '{your_client_id}'
+      secretKey: '{your_client_secret}'
+      domain: '{your_domain}'
+```

openmetadata-docs/content/deployment/security/one-login/kubernetes.md

@@ -0,0 +1,39 @@
+---
+title: One Login SSO for Kubernetes
+slug: /deployment/security/one-login/kubernetes
+---
+
+# One Login SSO for Kubernetes
+
+Check the Helm information [here](https://artifacthub.io/packages/search?repo=open-metadata).
+
+Once the `Client Id` and `Client Secret` are generated, see the snippet below for an example of where to
+place the client id value and update the authorizer configurations in the `values.yaml`.
+
+```yaml
+global:
+  authorizer:
+    className: "org.openmetadata.catalog.security.DefaultAuthorizer"
+    # JWT Filter
+    containerRequestFilter: "org.openmetadata.catalog.security.JwtFilter"
+    initialAdmins: 
+    - "suresh"
+    botPrincipals: 
+    - "ingestion-bot"
+    principalDomain: "open-metadata.org"
+  authentication:
+    provider: "custom-oidc"
+    publicKeys: 
+    - "{IssuerUrl}/certs"
+    authority: "{IssuerUrl}"
+    clientId: "{client id}"
+    callbackUrl: "http://localhost:8585/callback"
+  airflow:
+    openmetadata:
+      authProvider: "custom-oidc"
+      customOidc:
+        clientId: ""
+        # absolute path of secret file on airflow instance
+        secretKeyPath: ""
+        tokenEndpoint: ""
+```

openmetadata-docs/content/menu.md

@@ -93,6 +93,14 @@ site_menu:
     url: /deployment/security/amazon-cognito/bare-metal
   - category: Deployment / Enable Security / Amazon Cognito SSO / Kubernetes
     url: /deployment/security/amazon-cognito/kubernetes
+  - category: Deployment / Enable Security / One Login SSO
+    url: /deployment/security/one-login
+  - category: Deployment / Enable Security / One Login SSO / Docker
+    url: /deployment/security/one-login/docker
+  - category: Deployment / Enable Security / One Login SSO / Bare Metal
+    url: /deployment/security/one-login/bare-metal
+  - category: Deployment / Enable Security / One Login SSO / Kubernetes
+    url: /deployment/security/one-login/kubernetes
   - category: Deployment / Enable Security / Enable SSL
     url: /deployment/security/enable-ssl
   - category: Deployment / Enable Security / Enable SSL / Use Nginx