OpenID is only available to instances of Matillion ETL running version 1.47 or later and may not appear for older instances or instances that have undergone an in-place upgrade.
If you do not see the OpenID tab in your Matillion ETL instance, but you are running Tomcat v8.5.51 and the latest version of Matillion ETL, this may be remedied by adding ENABLE_OPENID=true to the emerald.properties file in the instance's file system.
This guide explains how to set up an OpenID login on Matillion ETL using generic identity provider credentials through the User Configuration window. This guide includes setting up internal security in the User Configuration window, managing users, and logging in with the OpenID credentials.
- Before an OpenID can be configured, credentials will need to be acquired from a third-party identity provider.
- Only credentials from a single provider can be used per instance.
- Matillion ETL users must be created with the same login name as any expected OpenID login. These login IDs are case-sensitive.
- Valid OpenID setups may fail if the Matillion ETL instance is behind a Load Balancer (usually due to the incorrect detection of scheme and port). It is recommended a listener is set up on the ELB for port 443 instead of 80 to remedy the issue.
- If you are using Auth0 for authentication, please use a / character at the end of the Provider Endpoint URL.
- OpenID is only supported by single instances; OpenID for high availability (HA) clusters is not supported.
Multi-factor Authentication (MFA)
Matillion ETL's Open ID Connect Login tab, explained in greater detail later in this guide, enables users to configure Multi-factor Authentication (MFA) for their Matillion ETL instance.
1. Access your Matillion ETL instance, and click Admin, situated to the far right-hand side. Click User Configuration. This dialog will open in the Manage Users tab. Switch to the Open ID Connect Login tab, then use the drop-down menu to choose an Identity Provider, and select from the available providers:
- Microsoft AD
- Azure Active Directory
- Generic (any OpenID source).
Once you have selected the Identity Provider, the Provider Endpoint URL, Client ID, and Client Secret must be configured for the MFA to work.
Additional guides detailing the setup of each provider can be found here:
Setting Up Internal Security
1. In Matillion ETL, on the top right of the screen, click Admin, then User Configuration.
2. In the User Configuration dialog, click the Select Security Configuration dropdown menu and select Internal.
3. Click OpenID Connect Login to open the OpenID configuration dialog. Then, provide details for the following fields:
- Identity Provider: select Generic from the dropdown menu (no fields will be auto-completed).
- Provider Endpoint URL: provide the endpoint URL from the selected provider.
- Client ID: enter the client ID from the selected provider.
- Client Secret: enter the client secret linked to the above client ID.
- User Attribute: enter an attribute to identify users. "ID Token" is set as default.
- Scope: list scope(s) for which access will be requested. "email" is set as default.
- Extra Options: list any additional connection options. These options should be listed as [key:value pairs]. Click OK to finish.
Managing Users and Logging In with OpenID Credentials
1. Once the OpenID has been configured, a dialog window will appear, prompting the Matillion ETL instance to be fully restarted (required before the changes will take effect). Thereafter, the Matillion ETL login screen will include Login with OpenID Connect below the standard login form. However, the OpenID users still need to be added to the user list before this can be used.
2. In the User Configuration dialog, click Manage Users, then click .
3. This will open the Add User dialog. Provide details for the following fields:
- Username: enter the User Attribute chosen to identify the user.
- Password: provide an appropriate password to be linked to the user.
- Repeat Password: re-enter the password as above.
- Role: select the access level of the user (also see this article for details), then click OK.
4. On returning to the Manage Users tab, click Apply changes at the bottom of the window to confirm the addition of the new user. The OpenID can now be used to log in into the Matillion ETL instance.
Using OpenID does not prevent existing or new users from logging into the Matillion ETL instance via the usual method. Additionally, the passwords assigned to the OpenID users within Matillion ETL are solely for use within Matillion ETL.