4.1.2 Configure SSO for OpenMetadata

To configure SSO in installed OpenMetadata (OM):

Prerequisites:

• Ensure that you have access to the IDCS domain.
• Note down the IP address or Host Name of the server where OM is installed.

1. Create a private application.
2. Enable Client credentials and Authorization Code grant flow in the private application.
   The following authorization grants must be enabled:

   • Implicit:
   • Authorization code
   • Client credentials
3. Provide the Redirect URL, Post-logout redirect URL and Logout URL when configuring the private application.
   For example:

   • Redirect URL : http(s)://<OM IP/FQDN>:8585/silent-callback http(s)://<OM IP/FQDN>:8585/callback
   • Post Logout Url: http(s)://<OM IP/FQDN>:8585/signin
   • Logout URL: http(s)://<OM IP/FQDN>:8585/api/v1/users/logout
4. Enable client access in domain.
5. Copy the Client ID and Client Secret from General Information section of the private application.
   The Client ID and the Client Secret will be used during the installation for the following properties: OPENMETADATA_IDCS_APPLICATION_CLIENT_ID and OPENMETADATA_IDCS_APPLICATION_CLIENT_SECRET
6. Copy the Domain URL from the Overview section.
7. Add relevant users to the private application.
   Ensure that STSA and OM are on the same SAML or IDCS domain.
8. Update the SSO Configuration. To do so:
   1. If you are using Single Sign-On (SSO), locate the authenticationConfiguration section and configure the SSO provider details:

      authenticationConfiguration:
        provider: ${AUTHENTICATION_PROVIDER:-"custom-oidc"}
        responseType: ${AUTHENTICATION_RESPONSE_TYPE:-id_token}
        providerName: ${CUSTOM_OIDC_AUTHENTICATION_PROVIDER_NAME:-"Oracle"}
        publicKeyUrls:
          - "https://idcs-e1cc81fab76840ff92e07aa94c413b76.identity.pint.oc9qadev.com:443/admin/v1/SigningCert/jwk"
          - "http(s)://xxx.xx.xx.xxx:8585/api/v1/system/config/jwks"
        authority: ${AUTHENTICATION_AUTHORITY:-https://idcs-e1cc81fab76840ff92e07aa94c413b76.identity.pint.oc9qadev.com}
        clientId: ${AUTHENTICATION_CLIENT_ID:-"e8e56537bb6047e7a0a70565a1f64239"}
        callbackUrl: ${AUTHENTICATION_CALLBACK_URL:-"http(s)://xxx.xx.xx.xxx:8585/callback"}
        jwtPrincipalClaims: ${AUTHENTICATION_JWT_PRINCIPAL_CLAIMS:-[email,preferred_username,sub]}
        enableSelfSignup: ${AUTHENTICATION_ENABLE_SELF_SIGNUP:-true}
      

   2. Replace the placeholders with your provider-specific values, such as:
      • AUTHENTICATION_AUTHORITY: The URL for your SSO provider.
      • AUTHENTICATION_CLIENT_ID: The client ID for your application.
      • AUTHENTICATION_CALLBACK_URL: The callback URL for your application.
9. Restart OM.