Okta OpenID setup
This guide explans how to set up an OpenID login on Matillion ETL using Okta credentials. This includes acquiring credentials from Okta, setting up internal security in the User Configuration dialog, and then managing users and logging in with the OpenID credentials.
Note
- Only credentials from a single provider can be used per instance.
- Matillion ETL users must be created with the same login name as any expected OpenID login.
- Valid OpenID setups may fail if the Matillion ETL instance is behind a Load Balancer (usually due to the incorrect detection of scheme and port). It is recommended a listener is set up on the ELB for port 443 instead of 80 to remedy the issue.
Acquiring Credentials for Okta
- Log in to your Okta developer account as a user with administrative privileges.
- In the Admin Console, click Applications → Applications.
- Click Create App Integration.
- On the Create a new app integration page, select OpenID Connect as the Sign-in method.
- Select Web Application as the Application type for your integration then click Next.
- Enter the following details, then click Save:
- Name: A name for the application. You can also optionally upload a logo.
- Sign-in redirect URIs: Enter the URL of the Matillion ETL instance, appended by
/j_security_check
. For example,https://example.matillion.com/j_security_check
- Sign-out redirect URIs: This is not required.
- Assignments: Leave the default setting.
- The main settings page for your new integration is now displayed. In the Client Credentials section, click Edit, then Generate New Client Secret.
-
Copy the credentials in the Client ID and Client secret fields as they will be required for setting up internal security in Matillion ETL.
Note
- Make sure to copy the client secret right away as it may appear only once.
- Additionally, when copying the credentials, some browsers may add a space to the end of the code. Watch out for this as it will cause the credentials to fail.
-
Click the Assignments tab.
- Click Assign and then select Assign to People.
- Enter the appropriate people that you want to have Single Sign-On into your application, and click Assign for each.
- Clicking Assign opens a window with that user's information. Verify the details, then click Save and Go Back.
- Click Done.
Setting Up Internal Security
- In Matillion ETL, click Admin → User Configuration.
- In the User Configuration dialog, click the Select Security Configuration drop-down menu and select Internal.
-
Click Open ID Connect Login to display the Open ID connection details. Enter details for the following fields:
- Identity Provider: Select Okta from the dropdown menu.
- Provider Endpoint URL: Enter the subdomain and domain associated with your Okta account. For example:
https://org-name.okta.com
, where org-name is typically the name of your company or organization. - Client ID: Enter the client ID you copied from the Okta portal.
- Client Secret: Enter the client secret you copied from the Okta portal.
- User Attribute: Enter an attribute to identify users. The default is email.
- Scope: List a scope or scopes for which access will be requested. The default is email.
- Extra Options: List any additional connection options as key:value pairs. These options are not mandatory.
Note
If you have configured a custom authorization server in Okta, include the
authorizationServerId
in the Provider Endpoint URL:https://${yourOktaDomain}/oauth2/${authorizationServerId}
-
Click OK.
- Once the OpenID has been configured, you will be prompted to restart the Matillion ETL instance. This is required before the changes will take effect.
Managing Users and Logging In with OpenID credentials
The Matillion ETL login screen will include Sign in with Okta below the standard login form. However, the OpenID users still need to be added to the user list before this can be used.
- In the User Configuration dialog, click the Manage Users tab, then click +.
- This will open the Add User dialog. Provide details for the following fields:
- Username: Enter the Attribute chosen to identify the user. For example, if you chose the default attribute email, enter the user's email address.
- Password: Provide an appropriate password to be linked to the user.
- Repeat Password: Re-enter the password as above.
- Role: Select the access level of the user. Read Project User Access for details.
- Click OK.
- On returning to the Manage Users tab, click Apply changes to confirm the addition of the new user. The OpenID can now be used by that user to log in into the Matillion ETL instance.
Using OpenID does not prevent existing or new users from logging into the Matillion ETL instance via the usual method. Additionally, the passwords assigned to the OpenID users within Matillion ETL are solely for use within Matillion ETL.