This guide will show how to setup an OpenID login on Matillion ETL using generic identity provider credentials through the User Configuration window. This includes setting up internal security in the User Configuration window and managing users and logging in with the OpenID credentials.
- Before an OpenID an be configured, credentials will need to be acquired from a third-party identity provider.
- Specific OpenID setup guides are also available for identity providers including Microsoft Active Directory, Google and Okta, amongst others.
- Only credentials from a single provider can be used per instance.
- Matillion ETL users must be created with the same login name as any expected OpenID login.
- Valid OpenID setups may fail if the Matillion ETL instance is behind a Load Balancer (usually due to the incorrect detection of scheme and port). It is recommended a listener is setup on the ELB for port 443 instead of 80 to remedy the issue.
Setting Up Internal Security
In Matillion ETL, on the top right of the screen, click Admin → User Configuration.
In the User Configuration pop-up window, click on the Select Security Configuration dropdown menu and select Internal.
Next, click OpenID Connect Login to open the OpenID configuration form. Then, provide details for the following fields:
- Identity Provider – select Generic from the dropdown menu (no fields will be auto-completed)
- Provider Endpoint URL – provide the endpoint URL from the selected provider
- Client ID – enter the client ID from the selected provider
- Client Secret – enter the client secret linked to the above client ID
- User Attribute – enter an attribute to identify users (ID Token is set as default)
- Scope – list scope(s) for which access will be requested (email is set as default)
- Extra Options – list any additional connection options (these options are not mandatory and should be listed as [key:value pairs]), then click OK
Managing Users and Logging In with OpenID credentials
Once the OpenID has been configured, a pop-window will appear prompting for the Matillion ETL instance to be fully restarted (required before the changes will take effect). Thereafter, the Matillion ETL login screen will include Login with OpenID Connect below the standard login form. However, the OpenID users still need to be added to the user list before this can be used.
Next, back in the User Configuration pop-up window, click the Manage Users tab, then click +.
This will open the Add User pop-up window. Provide details for the following fields:
On returning to the Manage Users tab, click Apply changes at the bottom of the window to confirm the addition of the new user. The OpenID can now be used to login into the Matillion ETL instance.
Using OpenID does not prevent existing or new users from logging into the Matillion ETL instance via the usual method. Additionally, the passwords assigned to the OpenID users within Matillion ETL are solely for use within Matillion ETL.