OpenID is only available to new instances of Matillion ETL—version 1.47 and later as launched from the marketplace—and may not appear for older instances or ones that have undergone an in-place upgrade.
If you do not see the OpenID tab, but are on Tomcat v8.5.51 or later and the latest Matillion ETL version, this may be remedied by adding ENABLE_OPENID=true to the emerald.properties file on your instance.
This guide explains how to set up an OpenID login on Matillion ETL using generic identity provider credentials through the User Configuration window. This guide includes setting up internal security in the User Configuration window, managing users, and logging in with the OpenID credentials.
- Before an OpenID can be configured, credentials will need to be acquired from a third-party identity provider.
- Only credentials from a single provider can be used per instance.
- Matillion ETL users must be created with the same login name as any expected OpenID login.
- Valid OpenID setups may fail if the Matillion ETL instance is behind a Load Balancer (usually due to the incorrect detection of scheme and port). It is recommended a listener is set up on the ELB for port 443 instead of 80 to remedy the issue.
Multi-factor Authentication (MFA)
Matillion ETL's Open ID Connect Login tab, explained in greater detail later in this guide, enables users to configure Multi-factor Authentication (MFA) for their Matillion ETL instance.
1. Click Identity Provider and select from the available providers:
- Microsoft AD
- Generic (any OpenID source).
Once you have selected the Identity Provider, the Provider Endpoint URL, Client ID, and Client Secret must be configured for the MFA to work.
Additional guides detailing the setup of each provider can be found here:
Setting Up Internal Security
1. In Matillion ETL, on the top right of the screen, click Admin → User Configuration.
2. In the User Configuration dialog, click the Select Security Configuration dropdown menu and select Internal.
3. Click OpenID Connect Login to open the OpenID configuration dialog. Then, provide details for the following fields:
- Identity Provider: select Generic from the dropdown menu (no fields will be auto-completed).
- Provider Endpoint URL: provide the endpoint URL from the selected provider.
- Client ID: enter the client ID from the selected provider.
- Client Secret: enter the client secret linked to the above client ID.
- User Attribute: enter an attribute to identify users. "ID Token" is set as default.
- Scope: list scope(s) for which access will be requested. "email" is set as default.
- Extra Options: list any additional connection options. These options should be listed as [key:value pairs]. Click OK to finish.
Managing Users and Logging In with OpenID Credentials
1. Once the OpenID has been configured, a dialog window will appear, prompting the Matillion ETL instance to be fully restarted (required before the changes will take effect). Thereafter, the Matillion ETL login screen will include Login with OpenID Connect below the standard login form. However, the OpenID users still need to be added to the user list before this can be used.
2. In the User Configuration dialog, click Manage Usersdfn>, then click .
3. This will open the Add User dialog. Provide details for the following fields:
- Username: enter the User Attribute chosen to identify the user.
- Password: provide an appropriate password to be linked to the user.
- Repeat Password: re-enter the password as above.
- Role: select the access level of the user (also see this article for details), then click OK.
4. On returning to the Manage Users tab, click Apply changes at the bottom of the window to confirm the addition of the new user. The OpenID can now be used to login into the Matillion ETL instance.
Using OpenID does not prevent existing or new users from logging into the Matillion ETL instance via the usual method. Additionally, the passwords assigned to the OpenID users within Matillion ETL are solely for use within Matillion ETL.