3.8 KiB
title | slug | collate |
---|---|---|
SAML AZURE SSO | /security/saml/azure | true |
SAML AZURE SSO
Follow the sections in this guide to set up Azure SSO using SAML.
{% note %}
Security requirements for your production environment:
- DELETE the admin default account shipped by OM.
- UPDATE the Private / Public keys used for the JWT Tokens in case it is enabled.
{% /note %}
Create OpenMetadata application
Step 1: Configure a new Application in Microsoft Entra ID
- Login to Azure Portal as an administrator and search for Microsoft Entra ID.
{% image src="/images/v1.6/deployment/security/saml/azure/saml-azure-1.png" alt="EnterpriseApplications" /%}
- Click on
Enterprise Applications
and then+ New Application
.
{% image src="/images/v1.6/deployment/security/saml/azure/saml-azure-2.png" alt="new-application" /%}
- After that a new window will appear with different applications, click on
Create your own application
.
{% image src="/images/v1.6/deployment/security/saml/azure/saml-azure-3.png" alt="create-own-application" /%}
- Give your application a name and select
Integrate any other application you don't find in the gallery
and then clickCreate
.
{% image src="/images/v1.6/deployment/security/saml/azure/saml-azure-4.png" alt="name-application-create" /%}
- Once you have the application created, open the app from list , and then click on
Single Sign-On
and thenSAML
.
{% image src="/images/v1.6/deployment/security/saml/azure/saml-azure-5.png" alt="saml-create-single-sign-On" /%}
- Edit
Basic SAML Configuration
and populate the values as shown below forEntityId
andAssertion Consumer Service Url
. These value should match the one configured with Openmetadata Server side forsamlConfiguration.sp.entityId
andsamlConfiguration.sp.acs
respectively. After this clickSave
.
{% image src="/images/v1.6/deployment/security/saml/azure/saml-azure-6.png" alt="edit-basic-saml-configuration" /%}
- Click on
Attributes and Claims
and click on theRequired Claim (NameId)
.
{% image src="/images/v1.6/deployment/security/saml/azure/saml-azure-7.png" alt="edit-claims" /%}
- You will see the values as below image, we need to set the value
Source Attribute
to a user mail value claim from the IDP. Click onEdit
and then select theSource Attribute
asuser.mail
oruser.userprincipalname
(in some cases this is also a mail) and then clickSave
.
{% image src="/images/v1.6/deployment/security/saml/azure/saml-azure-8.png" alt="edit-claim-value" /%}
- To Confirm the claim value we can navigate to user page and check the value of the user. In my case as you can see User Princpal Name is a my mail which i want to use for Openmetadata , so for me
user.userprincipalname
would be correct claim.
{% image src="/images/v1.6/deployment/security/saml/azure/saml-azure-9.png" alt="user-claim-value" /%}
{% note %}
Security requirements for your production environment:
-
You must always communicate via signed Request for both request from SP to IDP and response from IDP to SP.
-
To do so we need to add SP certificate to IDP , so that IDP can validate the signed Auth Request coming from SP.
-
Generate the certificate using below command and then upload the certificate to IDP.
openssl req -new -x509 -days 365 -nodes -sha256 -out saml.crt -keyout saml.pem
openssl x509 -in saml.crt -out samlCER.cer -outform DER
- Under
Single Sign-On
you will see SAML Certificates, click onVerification Certificates
.
{% image src="/images/v1.6/deployment/security/saml/azure/saml-azure-11.png" alt="verification-certificate" /%}
- You can then check the
Require Verification Certificates
and import the certification with .cer format we generated previously.
{% /note %}
Send the Collate team the above information to configure the server.