Azure Active Directory OpenID setup
This guide explains how to set up an OpenID login for Matillion ETL using Azure Active Directory credentials. This includes acquiring credentials from Azure Active Directory, setting up internal security in the User Configuration dialog, and then managing users and logging in with the OpenID credentials.
Note
- Only credentials from a single provider can be used per instance.
- Matillion ETL users must be created with the same login name as any expected OpenID login.
- The login name for any Matillion ETL user is case-sensitive.
- Valid OpenID setups may fail if the Matillion ETL instance is behind a load balancer (usually due to the incorrect detection of scheme and port). We recommend that a listener is set up on the ELB for port
443
instead of80
to remedy the issue.
Acquiring credentials for Azure Active Directory
- Log in to the Azure Portal. Click App registrations on the Azure services menu at the top of the dashboard. If App registrations isn't visible on the Azure services menu, click More services on the right of the menu for more options.
- In App registrations, click + New registration in the menu at the top.
- In the Register an application dialog, provide details for the following fields, then click Register:
- Name: Provide a name for the app.
- Redirect URI: Provide an https URL for the Matillion ETL instance, appended with
/j_security_check
. For example:https://your-company.com/j_security_check
-
You'll then see the Overview screen of the app's dashboard. Copy the Application (client) ID and Directory (tenant) ID credentials. You'll need these when you set up internal security in Matillion ETL.
Note
When you copy the credentials, some browsers may add a space to the end of them. Pay close attention to this because it will cause the credentials to fail.
-
Click Certificates & secrets in the sidebar on the left. Then, in the Certificates & secrets dialog, click New client secret.
- The Add a client secret dialog will appear. Provide details for the following fields:
- Description: Provide a description of the client secret.
- Expires: Use the drop-down menu to select when you want the client secret to expire.
-
Click Add. You will return to the Certificates & secrets dialog, where the new client secret will be listed, showing a Value. Copy the value, because it will be required for setting up internal security in Matillion ETL.
Note
- You must copy the client secret value immediately. The client secret only appears once. If you fail to copy the value, your only option is to repeat this process and create a new client secret.
- When copying the client secret, some browsers may add a space to the end of the string. Pay close attention to this because it will cause the credentials to fail.
Setting up internal security
- In Matillion ETL, click Admin at the top-right, and then click User Configuration.
- In the User Configuration dialog, click the Select Security Configuration drop-down field, and select Internal.
- Click the Open ID Connect Login tab. Use the credentials you copied earlier from the Azure Portal, and provide details for the following fields:
- Identity Provider: Select Azure Active Directory from the dropdown menu.
- Provider Endpoint URL: This will be a URL of the form
https://login.microsoftonline.com/[Azure-Tenant-ID]/v2.0
. Replace[Azure-Tenant-ID]
with your Directory (tenant) ID. - Client ID: Enter the Application (client) ID.
- Client Secret: Enter the client secret, that is the same as the "Value" you copied before.
- User Attribute: Enter an attribute to identify users. The default is preferred_username.
- Scope: List scopes for which access will be requested. The default is profile.
- Extra Options: List any additional connection options, as
[key:value]
pairs. These options are not mandatory.
- Click OK.
Managing users and logging in with OpenID credentials
- Once the OpenID has been configured, you will be prompted to restart your Matillion ETL instance. This is required to ensure all of the changes take effect. Thereafter, the Matillion ETL login screen will include Login with Azure Active Directory below the standard login form. However, the OpenID users still need to be added to the user list before this can be used.
- To add new users to the existing user list, return to the User Configuration dialog. Click the Manage Users tab, then click the + button.
- This will open the Add User dialog. Provide details for the following fields:
- Username: Enter the User attribute chosen to identify the user when you configured the Open ID Connect Login tab. If you're authenticating using OpenID, provide the associated email address in this field that matches your OpenID credentials.
- Password: Provide an appropriate password to be linked to the user. If you are authenticating using OpenID, a password will not be required.
- Repeat Password: Re-enter the password as above.
- Role: Select the access level of the user. For more information, read Project User Access.
- Permission Groups: Select an appropriate permission group for the user. For more information, read Groups and Permissions.
- Click OK.
- You will be returned to the Manage Users tab. Click Apply changes to confirm the addition of the new user. The OpenID can now be used to log in to your Matillion ETL instance.
Note
- Using OpenID does not prevent existing or new users from logging into their Matillion ETL instance via the usual method.
- The passwords assigned to the OpenID users within Matillion ETL are solely for use within Matillion ETL.