Configuring SSO for Tenant Manager

Tenant Manager is a separate DQ application for managing multi-tenant environments. The following steps describe how to enable single sign-on (SSO) for the Tenant Manager. For more information on Tenant Manager, see Using Tenant Manager.

Important The Tenant Manager is considered a new application by the entity provider (Idp). Do not change any existing IdP or SSO configuration settings for the DQ Web application.

Configure the identity provider for the new application

Begin by configuring the IdP for the Tenant Manager application.

  1. Set the Identifier (Entity ID) for the new IdP application as DQTenantManager. Do not change the existing entity ID for the original SSO application.
  2. Set the Reply URL (Assertion Consumer Service URL) for the new IdP application to the following (replacing {host} with your DQ host endpoint):

    3. https://{host}/tenant/saml/sso/tenantmanager

  3. Assign tenant admin users to the IdP application.
  4. Assign tenant admin groups to the IdP application.

Set the SAML authentication properties

Add the following properties to your configuration.

  1. Add the following property to your owl-env.sh file:

    2. export SAML_TENANT_MANAGER_ENABLED=true

  2. Add additional properties as needed (see below). Prefix each property with the export statement.
  3. Restart the DQ Web application.
  1. Add the following property as an environment variable to your DQ-web Configmap:

    2. SAML_TENANT_MANAGER_ENABLED: true

  2. Add additional properties as needed (see below)
  3. Recycle the pod.

Required properties

Property Description
SAML_ENTITY_BASEURL

The base URL that is provided in the service provider metadata. It is used to generate the ACS URL, which is the entity base URL with /saml/sso appended to it. It must include a port number if one is configured on the IdP side.

Once you have enabled and configured SAML authentication, you can download the service provider metadata from https://<your_dq_environment_url>/saml/metadata/SSO.

Important If you use Data Quality & Observability Classic with a Java version older than 17, such as Java 11, download your service provider metadata from https://<your_dq_environment_url>/saml/metadata instead.

Warning  If you have SAML configured in Collibra DQ, or if the app sits behind a load balancer, see the CORS_ALLOWED_ORIGINS property below.

Optional properties: general

Property Description
CORS_ALLOWED_ORIGINS=${IDP-BASE-URL},${DQ-BASE-URL} Allows cross-origin requests between Collibra DQ and SAML.

Replace ${IDP-BASE-URL} with the value of the actual IdP URL. For example, https://ping.auth.com/.

Replace ${DQ-BASE-URL} with the value of the actual DQ Base URL. For example, https://dq-env.com.
SAML_LB_EXISTS

Whether the application needs to configure a load balancer.

You generally need this setting only when the Load Balancer is set for SSL Termination.

The default value is false.

If set to true, you must also provide a value for SAML_LB_SERVER_NAME.

Note If the SAML_LB_EXISTS property is set to true and SAML_LB_INCLUDE_PORT_IN_REQUEST set to false, you may need to update SAML_ENTITY_BASEURL to include the port in the URL. The SAML_ENTITY_BASEURL should match the IdP's ACS URL.
SAML_ROLES_PROP_NAME

The attribute in which the identity provider stores the role of the user authenticating in the SAML response.

The default value is memberOf.
SAML_USER_NAME_PROP The name of the attribute in the SAML response that contains the username of the user who is authenticating.
SAML_KEYSTORE_FILE

The path to the keystore for SSL validation.

The store should contain the keypair of the identity provider for SSL verification.
SAML_KEYSTORE_PASS The password for the keystore provided in SAML_KEYSTORE_FILE.
SAML_KEYSTORE_ALIAS The alias of the keypair (private and public) in the keystore used for SSL verification.
LOCAL_REGISTRATION_ENABLED

Allows you to display or hide the registration link for local users on the Collibra DQ sign-in page. Because the registration link is displayed on the sign-in page by default, this property is set to true.

To display or hide the registration link from the owl-env.sh file, select from the following properties:

Property Description
export LOCAL_REGISTRATION_ENABLED=true Displays the registration link on the sign-in page for local users. This is set to true by default.
export LOCAL_REGISTRATION_ENABLED=false Hides the registration link on the sign-in page for local users.

To display or hide the registration link from a K8s ConfigMap, select the from the following properties:

Property Description
LOCAL_REGISTRATION_ENABLED:"true" Displays the registration link on the sign-in page for local users. This is set to true by default.
LOCAL_REGISTRATION_ENABLED:"false" Hides the registration link on the sign-in page for local users.

Note This property must be set globally on deployment.
CSRF_TOKEN_ENABLED Enables the use of Spring CSRF token implementation.
CSRF_TOKEN_IGNORE_URL_PATTERN Requests URL patterns to be ignored for CSRF token validation.
CSRF_TOKEN_IGNORE_REFERER_PATTERN Requests header referer patterns to be ignored for CSRF token validation.

Note While CORS is still an optional configuration, it is required if you have SAML configured in Collibra DQ, or if you have Collibra DQ behind a load balancer.

CORS is also enforced for multi-tenancy.

Optional properties: load balancer

When SAML_LB_EXISTS is set to true, the following additional properties are available.

Property Description
SAML_LB_INCLUDE_PORT_IN_REQUEST

Whether to include the port number in the request.

The default value is false.
SAML_LB_PORT

The port number of the load balancer.

The default value is 443.
SAML_LB_SCHEME

The protocol of the load balancer.

The default value is https.
SAML_LB_SERVER_NAME

The server or DNS name.

Usually, the same as SAML_ENTITY_BASEURL without specifying the protocol, for example without https://.

This property is required and has no default.
SAML_LB_CONTEXT_PATH Any path that may be defined on the load balancer.

Update settings in Tenant Manager

When you are ready with your IdP settings, add the final configuration settings in the Tenant Manager:

  1. Sign in to Tenant Manager using the Sign in as Tenant Manager link.
  2. Click Cogwheel icon in the left navigation pane.
    3. The SAML Security Settings page opens.
  3. Click the SAML Enabled dropdown menu, then select Enabled.
  4. Under the SAML Enabled dropdown menu, to the far right side of the page, click Plus icon.
    5. The Add Meta Data Configuration dialog box appears.
  5. Enter the required information.
    6. Option Description
    Meta-Data URL

    The URL of the identity provider metadata XML file or the location of the downloaded XML file.

    Important The name of the XML file must begin with the prefix file: and typically uses file:/opt/owl/config/idp-metadata.xml format.
    Meta-Data Label The name for this specific configuration.
    IDP URL The URL of the Collibra DQ application that is provisioned by the identity provider.
    Note The IDP_URL is the IdP Initiated SSO login URL. For Example, in Azure, it would be https://myapps.microsoft.com/signin/<sp-app-id>?tenantId=<sp-tenant-id>. In multi-tenant mode, this URL should contain a RelayState for DQ to set the tenant on completing the SSO. For more information, go to Configuring multi-tenant support through SAML RelayState.
  6. Click Add.
  7. Click the AD Security Settings icon in the left navigation page.
    8. The AD Security Settings page opens.
  8. Click Mappings.
  9. Edit the existing tenant admin group in the IdP and assign it the role ROLE_TENANT_ADMIN.
  10. Restart the DQ Application and test the login.