OpenID setup

This guide explains how to set up an OpenID login on Matillion ETL using generic identity provider credentials through the User Configuration dialog. This guide includes setting up internal security in the User Configuration dialog, managing users, and logging in with the OpenID credentials.

Warning

OpenID is only available to instances of Matillion ETL running version 1.47 or later and may not appear for older instances or instances that have undergone an in-place upgrade. If you do not see the OpenID tab in your Matillion ETL instance, but you are running Tomcat v8.5.51 and the latest version of Matillion ETL, this may be remedied by adding ENABLE_OPENID=true to the emerald.properties file in the instance's file system.

---

Prerequisites

• Before an OpenID can be configured, credentials will need to be acquired from a third-party identity provider.
• Only credentials from a single provider can be used per instance.
• Matillion ETL users must be created with the same login name as any expected OpenID login. These login IDs are case-sensitive.
• Valid OpenID setups may fail if the Matillion ETL instance is behind a load balancer (usually due to the incorrect detection of scheme and port). It is recommended a listener is set up on the ELB for port 443 instead of 80 to remedy the issue.
• If you are using Auth0 for authentication, please use a / character at the end of the Provider Endpoint URL.
• OpenID is supported by single instances and clustered instances.

---

Multi-factor Authentication (MFA)

Matillion ETL's Open ID Connect Login tab, explained in greater detail later in this guide, enables users to configure Multi-factor Authentication (MFA) for their Matillion ETL instance.

1. Access your Matillion ETL instance, and click Admin.
2. Click User Configuration. This dialog will open in the Manage Users tab.
3. Switch to the Open ID Connect Login tab, then use the drop-down menu to choose an identity provider, and select from the available providers:
   • None
   • Google
   • Microsoft AD
   • Okta
   • Azure Active Directory
   • Generic (any OpenID source).

Once you have selected the identity provider, the Provider Endpoint URL, Client ID, and Client Secret must be configured for the MFA to work.

Additional guides detailing the setup of each provider can be found here:

• Google OpenID Setup
• Microsoft AD OpenID Setup
• Okta OpenID Setup
• OneLogin OpenID Setup

---

Setting up internal security

1. In Matillion ETL, click Admin → User Configuration.
2. In the User Configuration dialog, click the Select Security Configuration drop-down menu and select Internal.

3. Click OpenID Connect Login to open the OpenID configuration dialog. Then, enter details for the following fields:

   • Identity Provider: Select Generic from the dropdown menu.
   • Provider Endpoint URL: Enter the endpoint URL from the selected provider.
   • Client ID: Enter the client ID from the selected provider.
   • Client Secret: Enter the client secret linked to the above client ID.
   • User Attribute: Enter an attribute to identify users. "ID Token" is set as default.
   • Scope: List scopes for which access will be requested. "email" is set as default.
   • Extra Options: List any additional connection options. These options should be listed as key:value pairs.

4. Click OK to finish.

---

Entering a redirect URL

If your platform requires a redirect URL, follow these generalized steps:

1. Log in to your identity provider's (IdP) administrator portal.
2. Locate the OAuth client credentials section. The naming of this area may differ by IdP.

3. Where the redirect URL is collected, provide an HTTPS URL for your Matillion ETL instance, appended with /j_security_ckeck. For example: https://your-company.com/j_security_check.

   Note

   The URL must match the base URL Matillion ETL users provide in their browser to reach the application.

4. Save your changes.

---

Managing users and logging in with OpenID credentials

1. Once the OpenID has been configured, a dialog will appear, prompting the Matillion ETL instance to be fully restarted (required before the changes will take effect). The Matillion ETL login screen will include Login with OpenID Connect below the standard login form. However, the OpenID users still need to be added to the user list before this can be used.
2. In the User Configuration dialog, click Manage Users, then click +.

3. This will open the Add User dialog. Provide details for the following fields:

   • Username: Enter the User Attribute chosen to identify the user.
   • Password: Enter an appropriate password to be linked to the user.
   • Repeat Password: Re-enter the password as above.
   • Role: Select the access level of the user, then click OK. For more information, read Project user access.

4. You will return to the Manage Users tab. Click Apply changes at the bottom of the window to confirm the addition of the new user. The OpenID can now be used to log into your Matillion ETL instance.

Note

Using OpenID does not prevent existing or new users from logging into the Matillion ETL instance via the usual method. Additionally, the passwords assigned to the OpenID users within Matillion ETL are solely for use within Matillion ETL.