Okta OpenID Setup
This guide will show how to setup an OpenID login on Matillion ETL using Okta credentials through the User Configuration window. This includes acquiring credentials from Okta, setting up internal security in the User Configuration window, and then managing users and logging in with the OpenID credentials.
- Only credentials from a single provider can be used per instance.
- Matillion ETL users must be created with the same login name as any expected OpenID login.
- Valid OpenID setups may fail if the Matillion ETL instance is behind a Load Balancer (usually due to the incorrect detection of scheme and port). It is recommended a listener is setup on the ELB for port 443 instead of 80 to remedy the issue.
Acquiring Credentials for Okta
Navigate to the Okta Website. On the right of the header, click Sign In.
On the next screen, enter the subdomain and select the domain associated with the account in the fields provided, then click Next. Please make a note of the subdomain, as it will be required to configure the OpenID Connect Login. The browser will then redirect to a login screen. Enter valid login credentials for the account associated with subdomain to continue.
Once logged in to the Okta Dashboard, click Applications on the header.
On the Applications page, click Add Application.
This will open the Create New Application wizard. Firstly, a platform for the application will need to be selected. Click Web, then click Next.
Next, the APPLICATION SETTINGS page, provide details for the following fields:
- Name – provide a name for the application
- Login redirect URIs – provide a secure URL for the Matillion ETL instance appended by /j_security_check (see example below), then scroll to the bottom of the page and click Done
The browser will then redirect to a newly created app information page. Scroll down to the bottom of the page to the Client Credentials section. Copy the codes in the Client ID and Client secret fields as they will be required for Setting Up Internal Security.
- Make sure to copy the client secret right away as it may appear only once.
- Additionally, when copying the codes, some browsers may add a space to the end of the code. Watch out for this as it will cause the credentials to fail.
Next, scroll back to the top of the page and click the Assignments tab. Then, click Assign → Assign to People.
This will open a pop-up window with a list of available users and groups. Ensure the users that will use the OpenID login are also assigned with the app by clicking Assign next to the relevant name.
Clicking Assign will also open the user or group's information pop-up window. From here, specific details can be edited and a shared User Attribute may be identified.
Setting Up Internal Security
In Matillion ETL, on the top right of the screen, click Admin → User Configuration.
In the User Configuration pop-up window, click on the Select Security Configuration dropdown menu and select Internal.
Next, click OpenID Connect Login to open the OpenID configuration form. Then, using the codes copied from Okta website, provide details for the following fields:
- Identity Provider – select Okta from the dropdown menu
- Provider Endpoint URL – enter the subdomain and domain associated with the Okta account
- Client ID – enter the client ID
- Client Secret – enter the client secret
- User Attribute – enter an attribute to identify users (email is set as default)
- Scope – list scope(s) for which access will be requested (email is set as default)
- Extra Options – list any additional connection options (these options are not mandatory and should be listed as [key:value pairs]), then click OK
Managing Users and Logging In with OpenID credentials
Once the OpenID has been configured, a pop-window will appear prompting for the Matillion ETL instance to be fully restarted (required before the changes will take effect). Thereafter, the Matillion ETL login screen will include Sign in with Okta below the standard login form. However, the OpenID users still need to be added to the user list before this can be used.
Next, back in the User Configuration pop-up window, click the Manage Users tab, then click +.
This will open the Add User pop-up window. Provide details for the following fields:
On returning to the Manage Users tab, click Apply changes at the bottom of the window to confirm the addition of the new user. The OpenID can now be used to login into the Matillion ETL instance.
Using OpenID does not prevent existing or new users from logging into the Matillion ETL instance via the usual method. Additionally, the passwords assigned to the OpenID users within Matillion ETL are solely for use within Matillion ETL.