mirror of
https://github.com/open-metadata/OpenMetadata.git
synced 2025-08-31 12:39:01 +00:00
2.1 KiB
2.1 KiB
| title | slug |
|---|---|
| Okta SSO for Bare Metal | /deployment/security/okta/bare-metal |
Okta SSO for Bare Metal
Update conf/openmetadata.yaml
Once the Client Id and Client Secret are generated add the Client Id in openmetadata.yaml file in client_id field.
{% note noteType="Warning" %}
It is important to leave the publicKeys configuration to have both Okta public keys URL and OpenMetadata public keys URL.
- Okta SSO Public Keys are used to authenticate User's login
- OpenMetadata JWT keys are used to authenticate Bot's login
- Important to update the URLs documented in below configuration. The below config reflects a setup where all dependencies are hosted in a single host. Example openmetadata:8585 might not be the same domain you may be using in your installation.
- OpenMetadata ships default public/private key, These must be changed in your production deployment to avoid any security issues.
For more details, follow Enabling JWT Authenticaiton
{% /note %}
authenticationConfiguration:
provider: "okta"
publicKeyUrls:
- "{ISSUER_URL}/v1/keys"
- "http://openmetadata:8585/api/v1/system/config/jwks"
authority: "{ISSUER_URL}"
clientId: "{CLIENT_ID - SPA APP}"
callbackUrl: "http://localhost:8585/callback"
- Update
authorizerConfigurationto add login names of the admin users in section as shown below. Make sure you configure the name from email, example: xyz@helloworld.com, initialAdmins username will be ```xyz`` - Update the
principalDomainto your company domain name. Example from above, principalDomain should behelloworld.com
authorizerConfiguration:
className: "org.openmetadata.service.security.DefaultAuthorizer"
# JWT Filter
containerRequestFilter: "org.openmetadata.service.security.JwtFilter"
adminPrincipals:
- "user1"
- "user2"
principalDomain: "open-metadata.org"
{% note noteType="Tip" %}
Follow this guide to configure the ingestion-bot credentials for ingesting data using Connectors.
{% /note %}