OpenID Setup

Overview

This guide explains how to set up an OpenID login on Matillion ETL using generic identity provider credentials through the User Configuration dialog. This guide includes setting up internal security in the User Configuration dialog, managing users, and logging in with the OpenID credentials.

Prerequisites

• Before an OpenID can be configured, credentials will need to be acquired from a third-party identity provider.
• Only credentials from a single provider can be used per instance.
• Matillion ETL users must be created with the same login name as any expected OpenID login. These login IDs are case-sensitive.
• Valid OpenID setups may fail if the Matillion ETL instance is behind a load balancer (usually due to the incorrect detection of scheme and port). It is recommended a [listener()]https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html) is set up on the ELB for port 443 instead of 80 to remedy the issue.
• If you are using Auth0 for authentication, please use a / character at the end of the Provider Endpoint URL.
• OpenID is supported by single instances and clustered instances.

Multi-factor Authentication (MFA)

Matillion ETL's Open ID Connect Login tab, explained in greater detail later in this guide, enables users to configure Multi-factor Authentication (MFA) for their Matillion ETL instance.

Access your Matillion ETL instance, and click Admin. Click User Configuration. This dialog will open in the Manage Users tab. Switch to the Open ID Connect Login tab, then use the dropdown menu to choose an identity provider, and select from the available providers:

• None
• Google
• Microsoft AD
• Okta
• Azure Active Directory
• Generic (any OpenID source).

Once you have selected the identity provider, the Provider Endpoint URL, Client ID, and Client Secret must be configured for the MFA to work.

Additional guides detailing the setup of each provider can be found here:

• Google OpenID Setup
• Microsoft AD OpenID Setup
• Okta OpenID Setup
• OneLogin OpenID Setup

Setting up internal security

1. In Matillion ETL, click Admin** → User Configuration.
2. In the User Configuration dialog, click the Select Security Configuration dropdown menu and select Internal.
3. Click OpenID Connect Login to open the OpenID configuration dialog. Then, provide details for the following fields:

• Identity Provider: select Generic from the dropdown menu (no fields will be auto-completed).
• Provider Endpoint URL: provide the endpoint URL from the selected provider.
• Client ID: enter the client ID from the selected provider.
• Client Secret: enter the client secret linked to the above client ID.
• User Attribute: enter an attribute to identify users. "ID Token" is set as default.
• Scope: list scopes for which access will be requested. "email" is set as default.
• Extra Options: list any additional connection options. These options should be listed as key:value pairs. Click OK to finish.

Managing users and logging in with OpenID credentials

1. Once the OpenID has been configured, a dialog window will appear, prompting the Matillion ETL instance to be fully restarted (required before the changes will take effect). Thereafter, the Matillion ETL login screen will include Login with OpenID Connect below the standard login form. However, the OpenID users still need to be added to the user list before this can be used.

2. In the User Configuration dialog, click Manage Users, then click +
3. This will open the Add User dialog. Provide details for the following fields:

• Username: enter the User Attribute chosen to identify the user.
• Password: provide an appropriate password to be linked to the user.
• Repeat Password: re-enter the password as above.
• Role: select the access level of the user (also see this article for details), then click OK.

4. On returning to the Manage Users tab, click Apply changes at the bottom of the window to confirm the addition of the new user. The OpenID can now be used to log in into the Matillion ETL instance.