OpenID Setup

Overview

It is possible to set up Matillion ETL to allow Open ID logins from a particular provider through the User Configuration menu. Only a single provider can be used at a given time. 

Note that a Matillion ETL User must be created with the same login name as any expected OpenID login.
 

Setup

Begin by opening the User Configuration dialog via:

Admin → User Configuration

And switching the Security Configuration to Internal.



Switching to the OpenID Connect Login tab will bring up a form that is common to all providers.



Identity Provider: Choose a OpenID provider that will allow auto-completion of some fields. Currently supports Google, Microsoft AD and Okta for auto-completion. Generic may be picked for any other OpenID source.
Provider Endpoint URL: The URL of the OpenID service used. Information on expected URLs for the supported providers are given in the sections below.
Client ID: The Client ID of the app registered with the provider.
Client Secret: The Client Secret of the app registered with the provider.
User Attribute: The attribute of the user's account that is used to identify the user. This is usually email or unique_name. If the login fails with one of these recommendations entered, it is advised to try the other.
Scope: The scope of the request in terms of permissions requested.
Extra Options: Any additional connection options as key:value pairs. This is generally not required.

Note that the Generic option will work for any provider, including those listed in the Identity Provider, but simply provides no completed fields.

These options can be saved by clicking OK.

Now the Matillion ETL client's connection with the Identity Provider is configured, the users that will be logging in through Open ID must be added to the instance. For this, Matillion ETL must simply recognise the user's identity. Thus, the user's identity (as recognised by the User Attribute) must be added as a new user in the Manage Users tab. This is almost always in the form of an email address.


Inclusion of Open ID does not prevent logins to the instance via the usual method and the passwords assigned to the users inside the client have no bearing on the passwords used for the Open ID login attempt.

Is is strongly advised that you fully restart your Matillion ETL instance after a new OpenID configuration. Logging into the instance will now present an additional login option below the standard login fields. Below, a Google OpenID login is shown.



Detailed instructions on setting up Open ID for the supported providers are given in the below sections.

 

MICROSOFT (Active Directory)


Identity Provider: Microsoft AD (or Generic)
Provider Endpoint URL: https://sts.windows.net/<Microsoft AD Directory ID>/
Client ID: The Client ID of the app registered with Microsoft AD.
Client Secret: The Client Secret of the app registered with Microsoft AD.
User Attribute: unique_name or email
Scope: unique_name or email (Changing this from one to the other may resolve login problems)
Extra Options: N/A


From your Azure dashboard, browse to your properties: Azure directory → Azure Active Directory → Properties, and attain your Directory ID.



This becomes the suffix to the Provider Endpoint URL in Matillion ETL following the format (remember to keep the forward slash at the end):
 
https://sts.windows.net/<suffix>/

To find your Client  ID, browse to Registered Apps via Azure directory → Azure Active Directory → App Registrations

If you have no Apps, you can create one by clicking New Application Registration.



New apps must be Web apps (not native). Use your instance address as homepage (port number may not be necessary).

Alternatively, you can click on View all applications and select a preexisting App if one is available. Regardless, once you select an App you can find its details.



The Application ID from this page should be used as the Client ID in your OpenID config on Matillion ETL.

Next we will find the Secret Key by navigating to Setting → Keys on the Microsoft Azure AD portal.



Make new Password and save it. Take the 'value' as your Client Secret



Setting → Reply URLs

Enter your instance id with the j_security_check suffix e.g.

http://12.34.5.67:38300/j_security_check



 

Okta


Identity Provider: Okta (or Generic)
Provider Endpoint URL: Okta domain
Client ID: The Client ID of the web app registered with Okta.
Client Secret: The Client Secret of the web app registered Okta.
User Attribute: email
Scope: email
Extra Options: N/A

From the Okta developer dashboard browse through to:

Applications → Add Application

Select Web as the app type and click Next. You will be taken to the Application Settings page.



Set up your application by giving it a Name. The Base URI doesn't matter but the Login redirect URIs must be your instance address followed by /j_security_check. For example:
 
https://12.34.5.67:74552/j_security_check

Where 12.34.5.67 is an example IP address or URL that you use to access your Matillion ETL client and :74552 is an example port number which may not be required if it is not required to access your instance.

Below this, click Done and allow the page to redirect to the completed app. At the bottom of the page you should find the App's Client ID and Client Secret that can be entered into the Matillion ETL client's OAuth configuration.



Next, you will need your provider endpoint URI which takes the form of your Okta domain. For example,
 
https://subdomain.ca.okta.com

Copy this into the Provider Endpoint URL in the Matillion ETL client's Open ID configuration.

Ensure that any users that will be using this App for the OpenID login are assigned to the App. This can be done by selecting the App and then choosing Assign To People from the Assign dropdown menu.



Finally, be sure to add a User via Manage Users to your Matillion ETL instance that has the same name (likely an email address) as your Okta login.

 

Google


Identity Provider: Google (or Generic)
Provider Endpoint URL: https://sts.windows.net/<Microsoft AD Directory ID>/
Client ID: The Client ID of the app registered with Microsoft AD.
Client Secret: The Client Secret of the app registered with Microsoft AD.
User Attribute: email
Scope: email
Extra Options: N/A


To begin, browse to your Credentials  page via the main menu on your GCP console:

Main Menu → APIs & Services → Credentials 


Click Create Credentials and select OAuth client ID from the dropdown menu.


Selecting OAuth client ID will bring up a new page segment allowing you to configure the app. Ensure that Web Application is selected and give your app a name.

The Authorised redirect URIs must be the URL (not IP) of your Matillion ETL instance and must be a secured (HTTPS) address. The instance address must be appended by /j_security_check.
An example of this is shown below.

When completed, click Create.



As the App is created, its Client ID and Client Secret are displayed. Copy these and enter them into their respective fields in the Matillion ETL OpenID config menu.


Below we show an example of a completed Google OpenID config in Matillion ETL.