OpenMetadata/openmetadata-docs/content/v1.6.x/security-collate/saml/azure.md

title	slug	collate
SAML AZURE SSO	/security/saml/azure	true

SAML AZURE SSO

Follow the sections in this guide to set up Azure SSO using SAML.

{% note %}

Security requirements for your production environment:

• DELETE the admin default account shipped by OM.
• UPDATE the Private / Public keys used for the JWT Tokens in case it is enabled.

{% /note %}

Create OpenMetadata application

Step 1: Configure a new Application in Microsoft Entra ID

• Login to Azure Portal as an administrator and search for Microsoft Entra ID.

{% image src="/images/v1.6/deployment/security/saml/azure/saml-azure-1.png" alt="EnterpriseApplications" /%}

• Click on Enterprise Applications and then + New Application .

{% image src="/images/v1.6/deployment/security/saml/azure/saml-azure-2.png" alt="new-application" /%}

• After that a new window will appear with different applications, click on Create your own application.

{% image src="/images/v1.6/deployment/security/saml/azure/saml-azure-3.png" alt="create-own-application" /%}

• Give your application a name and select Integrate any other application you don't find in the gallery and then click Create.

{% image src="/images/v1.6/deployment/security/saml/azure/saml-azure-4.png" alt="name-application-create" /%}

• Once you have the application created, open the app from list , and then click on Single Sign-On and then SAML.

{% image src="/images/v1.6/deployment/security/saml/azure/saml-azure-5.png" alt="saml-create-single-sign-On" /%}

• Edit Basic SAML Configuration and populate the values as shown below for EntityId and Assertion Consumer Service Url. These value should match the one configured with Openmetadata Server side for samlConfiguration.sp.entityId and samlConfiguration.sp.acs respectively. After this click Save.

{% image src="/images/v1.6/deployment/security/saml/azure/saml-azure-6.png" alt="edit-basic-saml-configuration" /%}

• Click on Attributes and Claims and click on the Required Claim (NameId).

{% image src="/images/v1.6/deployment/security/saml/azure/saml-azure-7.png" alt="edit-claims" /%}

• You will see the values as below image, we need to set the value Source Attribute to a user mail value claim from the IDP. Click on Edit and then select the Source Attribute as user.mail or user.userprincipalname (in some cases this is also a mail) and then click Save.

{% image src="/images/v1.6/deployment/security/saml/azure/saml-azure-8.png" alt="edit-claim-value" /%}

• To Confirm the claim value we can navigate to user page and check the value of the user. In my case as you can see User Princpal Name is a my mail which i want to use for Openmetadata , so for me user.userprincipalname would be correct claim.

{% image src="/images/v1.6/deployment/security/saml/azure/saml-azure-9.png" alt="user-claim-value" /%}

{% note %}

Security requirements for your production environment:

• You must always communicate via signed Request for both request from SP to IDP and response from IDP to SP.

• To do so we need to add SP certificate to IDP , so that IDP can validate the signed Auth Request coming from SP.

• Generate the certificate using below command and then upload the certificate to IDP.

openssl req -new -x509 -days 365 -nodes -sha256 -out saml.crt -keyout saml.pem
openssl x509 -in saml.crt -out samlCER.cer -outform DER

• Under Single Sign-On you will see SAML Certificates, click on Verification Certificates.

{% image src="/images/v1.6/deployment/security/saml/azure/saml-azure-11.png" alt="verification-certificate" /%}

• You can then check the Require Verification Certificates and import the certification with .cer format we generated previously.

{% /note %}

Send the Collate team the above information to configure the server.