Microsoft AD OpenID Setup

Microsoft AD OpenID Setup


Overview

This guide will show how to setup an OpenID login on Matillion ETL using Microsoft Active Directory credentials through the User Configuration window. This includes acquiring credentials from Microsoft Active Directory, setting up internal security in the User Configuration window, and then managing users and logging in with the OpenID credentials.

Important Information

  • Only credentials from a single provider can be used per instance.
  • Matillion ETL users must be created with the same login name as any expected OpenID login.
  • Valid OpenID setups may fail if the Matillion ETL instance is behind a Load Balancer (usually due to the incorrect detection of scheme and port). It is recommended a listener is setup on the ELB for port 443 instead of 80 to remedy the issue.

Acquiring Credentials for Microsoft Active Directory

  1. Navigate to the Microsoft Azure Portal. The Microsoft Azure login screen will appear immediately. Enter valid login credentials to continue. The browser will then redirect to the Microsoft Azure dashboard. Click App registrations on the Azure services menu at the top of the screen.

    Please Note

    If App registrations is not available on the Azure services menu, simply click More Services, on the right of the menu, for a longer list of options.

    Microsoft Azure dashboard

    Microsoft Azure dashboard

  2. On the App registrations page, click + New registrations on the menu at the top of the screen.

    App registrations

    App registrations

  3. Now, in the Register an application window, provide details for the following fields:

    • Name – provide a name for the app
    • Redirect URI (optional) – provide a secure URL for the Matillion ETL instance appended by /j_security_check (see example below), then click Register

    Example

    https://<example.matillion.com:port>/j_security_check
    Register App

    Register App

  4. The browser will then redirect to the Overview window on the app's newly created dashboard. From here, copy the codes to the right of Application (client) ID and Directory (tenant) ID as they will be required for Setting Up Internal Security.

    Please Note

    When copying the codes, some browsers may add a space to the end of the code. Watch out for this as it will cause the credentials to fail.

    App Overview

    App Overview

  5. Next, click Certificates & secrets on the sidebar on the left. Then, in the Certificates & secrets window, click + New client secret.

    New client secret

    New client secret

  6. The Add a client secret pop-up window will then appear. Provide details for the following fields:

    • Description – provide a description of the client secret
    • Expires – tick the checkbox next to when the client secret should expire, then click Add

    Add client secret

    Add client secret

  7. Returning to the Certificates & secrets window, the new client secret will appear on the list in the Client secrets section. Copy the relevant client secret as it will be required for Setting Up Internal Security.

    Please Note

    • Make sure to copy the client secret right away as it may appear only once.
    • Additionally, when copying the client secret, some browsers may add a space to the end of the code. Watch out for this as it will cause the credentials to fail.
    Copy client secret

    Copy client secret


Setting Up Internal Security

  1. In Matillion ETL, on the top right of the screen, click AdminUser Configuration.

    Admin dropdown menu

    Admin dropdown menu

  2. In the User Configuration pop-up window, click on the Select Security Configuration dropdown menu and select Internal.

    User Configuration window

    User Configuration window

  3. Next, click OpenID Connect Login to open the OpenID configuration form. Then, using the codes copied from Microsoft Azure Portal, provide details for the following fields:

    • Identity Provider – select Microsoft AD from the dropdown menu
    • Provider Endpoint URL – replace [Directory (tenant) ID] in the URL (auto-inserted into the field) with the Directory (tenant) ID
    • Client ID – enter the Application (client) ID
    • Client Secret – enter the client secret
    • User Attribute – enter an attribute to identify users (unique_name is set as default)
    • Scope – list scope(s) for which access will be requested (email is set as default)
    • Extra Options – list any additional connection options (these options are not mandatory and should be listed as [key:value pairs]), then click OK

    OpenID Connect Login tab

    OpenID Connect Login tab


Managing Users and Logging In with OpenID credentials

  1. Once the OpenID has been configured, a pop-window will appear prompting for the Matillion ETL instance to be fully restarted (required before the changes will take effect). Thereafter, the Matillion ETL login screen will include Sign in with Microsoft below the standard login form. However, the OpenID users still need to be added to the user list before this can be used.

    Matillion ETL login screen with OpenID

    Matillion ETL login screen with OpenID

  2. Next, back in the User Configuration pop-up window, click the Manage Users tab, then click +.

    Manage Users

    Manage Users

  3. This will open the Add User pop-up window. Provide details for the following fields:

    • Username – enter the attribute chosen to identify the user
    • Password – provide an appropriate password to be linked to the user
    • Repeat Password – re-enter the password as above
    • Role – select the access level of the user (also see this article for details), then click OK

    Add user

    Add user

  4. On returning to the Manage Users tab, click Apply changes at the bottom of the window to confirm the addition of the new user. The OpenID can now be used to login into the Matillion ETL instance.

    Please Note

    Using OpenID does not prevent existing or new users from logging into the Matillion ETL instance via the usual method. Additionally, the passwords assigned to the OpenID users within Matillion ETL are solely for use within Matillion ETL.

    Apply changes

    Apply changes