Collibra Console configuration

Note

Settings that are indicated with an asterisk (*) are mandatory settings.
To edit the Console configuration, you need the ADMIN role, except for settings or sections marked with (**), which require the SUPER role. As the SUPER role does not exist for cloud environments, settings that require the SUPER role are not available in Collibra Data Intelligence Platform environments. If you want to edit one of these settings, please create a support ticket.

1 Configuration

Setting	Description
Base URL* (**)	The base URL to access Collibra Console.
Startup timeout for Jobserver	The duration in milliseconds before the Jobserver service startup is considered as a failure. The default value is 300,000 milliseconds or 5 minutes.
Startup timeout for the Repository	The duration in milliseconds before the Repository service startup is considered as a failure. The default value is 300,000 milliseconds or 5 minutes.
X-Frame options	The option to specify the content of the HTTP-header X-Frame-Options. It is set on all the rendered pages and should be used to avoid a click-jacking attack. By default, we specify that only pages from the same origin can use the rendered pages in a frame. Note Changing this options requires a reboot of the server.

1.1 Email configuration (**)

The configuration of email notifications. More information: Configure Collibra Console email settings.

Setting	Description
Username	The username used to sign in to the SMTP server.
Password	The password used to sign in to the SMTP server. A password is not required.
From address (*)	The email address used as the sender of all outgoing emails. See Email configuration for Collibra Data Intelligence Platform and Collibra Console to update this setting in cloud environments.
Host (*)	The URL or IP address of the SMTP server.
Port (*)	The port used to access the SMTP server. The default port is 25.
Start TLS	True: The insecure connections to the SMTP server will be upgraded to a secure connection using SSL or TLS. False: The connection to the SMTP server does not use SSL or TLS.

1.2 LDAP configuration

The configuration of LDAP to handle the authentication. For a tutorial about the LDAP configuration of Collibra Console, see Collibra Support Portal.

Setting

Description

Enable LDAP integration (*)

Global setting to enable or disable LDAP integration.

Enable LDAP SUPER users (**)

Allow LDAP users to have the Collibra Console SUPER role. The default value is false, any LDAP users with SUPER role will have same access rights as ADMIN role users.

Time limit (*)

Maximum time in milliseconds for LDAP search operations.

The default value is 120,000 milliseconds or two minutes.

Set it to 0 if you do not want a time limit.

Servers

This section configures one or more LDAP servers.

LDAP server URL

When using SSL, use the LDAP's protocol and use the correct port.

The SSL section in the configuration should also be configured for this.

Bind DN

The main LDAP Domain Name (DN) to be able to connect to the LDAP server. This DN should be able to access all the users and groups that you want to sync.

Bind password

The password for the main LDAP DN to connect to the LDAP server.

Base DN

General base path to which all DNs are relative. As a general rule, this should stay empty for most configurations.

User base

The base DN where the users are located. Subtree search is used, so all DNs located below the base are searched for matching users.

LDAP user authentication filter

User filter to which users authenticating in Collibra Data Intelligence Platform should comply.

LDAP user synchronization filter

User filter to which users imported by the synchronization job should comply. This should be a subset of or equal to the Authentication user LDAP filter. When empty, the same filter will be used. as specified in the Authentication user LDAP filter.

Authentication type

LDAP authentication mechanism; must be one of the following:

none: No authentication is performed.
simple: Simple authentication is performed, using the Bind DN and Bind password as credentials. The credentials are sent as plain text.
DIGEST-MD5: Simple authentication is performed using the Bind DN and Bind password as credentials. The Bind password is hashed with the MD5 algorithm.
TLS-SIMPLE: A temporary secured TLS connection is set up before the credentials are sent as plain text. SSL must be configured.
TLS-EXTERNAL: A temporary secured TLS connection with external SASL authentication using a client certificate. SSL must be configured.

Note When using TLS, dont forget to configure the SSL security section.

Shutdown gracefully

In case of TLS usage, if set to true, Collibra Console tries to shutdown all TLS connections.

Referral setting

Specifies how referrals should be handled; must be one of:

throw
ignore
follow

Group base DN

The base DN where all groups are located.

Membership attribute

The attribute to define that users are member of a group, for example uniqueMember. This field is mandatory when mapping LDAP groups to roles.

Group LDAP filter

The LDAP filter to which each group should comply to be synced.

Map the DN of an LDAP group to a role

The mapping of the LDAP users that are members of the group with a specified DN to a role.

User field mapping

Configuration mapping of all the user fields. Here you can configure to what LDAP field a given user field should be mapped. Leave empty if it should not be considered in the synchronization.

User Name *

Username mapping is mandatory for LDAP to be enabled.

Role*

Role mapping is mandatory for LDAP to be enabled. This is the LDAP directory field that defines which console role the user should have. If you do not intend on using this configuration mapping use the default mapping of role.

Email *

Email mapping is mandatory for LDAP to be enabled.

Default role

The default role for LDAP users. The default role is READ.

Only a Collibra Console SUPER user can grant the SUPER role to an LDAP user.

1.3 UI configuration (**)

The configuration of user interface features.

Setting	Description
Optimize CSS This setting requires the SUPER role.	True (default): The CSS files are optimized to improve performance of the user interface. False: The CSS files are not optimized.
Optimize JavaScript This setting requires the SUPER role.	True (default): The JavaScript code is optimized to improve the performance of the user interface. False: The JavaScript code is not optimized
Concatenate JavaScript This setting requires the SUPER role.	True (default) False
Velocity cache This setting requires the SUPER role.	True: The velocity cache is enabled. False: The velocity cache is disabled. This allows you to reload velocity templates without restarting Collibra.
Modules JSON overrides This setting requires the SUPER role.	DISCLAIMER: If you choose to customize any aspects of Collibra, including CSS or other modules/page-definition customizations, these must be thoroughly tested between upgrades. Customizations are unsupported and can break between upgrades. We recommend your organization and the responsible parties maintain a list of customizations applied to Collibra and use that as a checklist for validating upgrades in a test or lower environment. If changes are needed to customizations, make appropriate preparation and testing plan to promote to your production instance.
Modules properties overrides This setting requires the SUPER role.	DISCLAIMER: If you choose to customize any aspects of Collibra, including CSS or other modules/page-definition customizations, these must be thoroughly tested between upgrades. Customizations are unsupported and can break between upgrades. We recommend your organization and the responsible parties maintain a list of customizations applied to Collibra and use that as a checklist for validating upgrades in a test or lower environment. If changes are needed to customizations, make appropriate preparation and testing plan to promote to your production instance.
Page definition overrides This setting requires the SUPER role.	DISCLAIMER: If you choose to customize any aspects of Collibra, including CSS or other modules/page-definition customizations, these must be thoroughly tested between upgrades. Customizations are unsupported and can break between upgrades. We recommend your organization and the responsible parties maintain a list of customizations applied to Collibra and use that as a checklist for validating upgrades in a test or lower environment. If changes are needed to customizations, make appropriate preparation and testing plan to promote to your production instance .

1.4 Backup configuration

Setting	Description
Backup process timeout (*)	The duration in milliseconds before the creation of a backup is considered as a failure. The default value is 43,200,000 milliseconds or 12 hours. During an upgrade, this value is also taken into account.
Backup cleanup interval (Requires restart) (**)	Interval in minutes for the cleanup of backups. The default value is 720 minutes.

Setting

Description

Backup process timeout (*)

The duration in milliseconds before the creation of a backup is considered as a failure.

The default value is 43,200,000 milliseconds or 12 hours.

During an upgrade, this value is also taken into account.

Backup cleanup interval (Requires restart) (**)

Interval in minutes for the cleanup of backups.

The default value is 720 minutes.

1.4.1 Backup schedule configuration

Setting	Description
Default max retained (*)	The default maximum number of retained backups related to a backup schedule. 0 signifies retain all.

1.4.2 Backup retry configuration (**)

Setting	Description
Backup Retry attempts (*)	The number of times an automated retry will be attempted after encountering the initial backup error. The default value is 1.
Backup retry delay (*)	Time in milliseconds between retry attempts. The default value is 5,000 milliseconds.
Backup retry agent check timeout (*)	The maximum amount of time in milliseconds a retry has in order to establish agent communication before the retry will timeout. The default value is 30,000 milliseconds

Setting

Description

Backup Retry attempts (*)

The number of times an automated retry will be attempted after encountering the initial backup error.

The default value is 1.

Backup retry delay (*)

Time in milliseconds between retry attempts.

The default value is 5,000 milliseconds.

Backup retry agent check timeout (*)

The maximum amount of time in milliseconds a retry has in order to establish agent communication before the retry will timeout.

The default value is 30,000 milliseconds

1.5 CSRF configuration

Setting	Description
Enable CSRF protection	If enabled, Collibra Console checks the validity of the request using a CSRF token.

1.6 Session configuration

Setting	Description
Idle Session timeout (Requires restart) (*)	The duration in seconds of idle time before a Collibra Console session times out. The minimum value is 15 minutes, the maximum is 24 hours. The default value is 1,800 seconds or 30 minutes.

Setting

Description

Idle Session timeout (Requires restart) (*)

The duration in seconds of idle time before a Collibra Console session times out. The minimum value is 15 minutes, the maximum is 24 hours.

The default value is 1,800 seconds or 30 minutes.

1.7 Security Configuration (**)

Setting	Description
User locked out interval (Requires restart) (*)	The number of seconds during which a user cannot sign in to Collibra Console after the specified number of incorrect Login attempts.
Login attempts (Requires restart) (*)	The number of times that a user can try to sign in to Collibra Console before being locked out for the time defined in User locked out interval.
Interval for consecutive login attempts (Requires restart) (*)	The number of seconds during which the user has the amount of login attempts specified in the Login attempts field.

1.7.1 SSO

Setting

Description

Mode

The SSO mode of Collibra Console. Collibra Console only supports SAML_ATTRIBUTES.

Disable the Collibra Management console signin page

When SSO is enabled, a user can still navigate to the /signin page and try to log in via that page. However, you can disable that page.

True: Users cannot access the Collibra Console signin page.
False (default): Users can access the Collibra Console signin page

Default role

The default role for all SSO users. The default role is READ.

SSO users with a SUPER role will be downgraded to users with the ADMIN role. Only a Collibra Console SUPER user can enable the SUPER role for SSO users.

Enable SSO SUPER users(**)

True: SSO users can have the SUPER role.
False (default): SSO users with the SUPER role will be downgraded to users with the ADMIN role.

This option is only visible if you have the SUPER role.

SAML

The configuration of SAML.

Metadata HTTP

The URL of the SAML metadata file to be used. The URL always has to be reachable by the Collibra environment.

Entity ID

The entity ID inside the metadata to be referenced.

Note A metadata file can describe multiple entity IDs, make sure to use in the entity ID from the correct metadata file.

Consumer service URL

By default, this URL is the same as the URL of your Collibra environment but if your IDP expects another value, you can fill it out here.

Warning Make sure that the intended destination endpoint (The Destination attribute in the SAML response) matches the URL being used here. So this is only to be used in specific IDP circumstances When setting this, and getting the error "SAML message intended destination endpoint did not match recipient endpoint" check the Destination attribute in your SAML response and this parameter.

Disable client address

True: The validation of the client IP address in the assertion message is disabled.
False (default): The validation of the client IP address in the assertion message is enabled.

Sign authentication requests (Requires restart)

True: Authentication requests have to be signed. Use a Collibra generated self-signed certificate to sign requests. The request that is generated by Collibra Console will be appended with a signature in the redirect URL of the response.
False (default): Authentication request don't have to be signed.

Force authn

True (default): The SP authentication request forces re-authentication.
False: The SP authentication request does not force re-authentication.

Force passive

Configure whether the SP authentication should set the authentication to go passive.

If True, the IDP or browser MUST NOT take visibly control of the user interface. See the SAML 2.0 specification for more details.

This is only relevant if Force authn is True.

Name ID

Configure the nameID used in the SP authentication. If set, the full content will be sent as a nameID. Use a fully qualified nameID.

Default nameID="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent". See SAML 2.0 specification for accepted nameID values.

Group to Role mapping

Map groups from the group field to a role in the Collibra Console. The Field key must be a name of a group as defined in your IDP, the Field value is one of the Collibra Console roles (READ, ADMIN, SUPER).

Attribute fields

The mappings of attributes in the SAML response. The values are used as keys to look for in the SAML response.

Username

The mapping for the user's username. The value of this attribute must be the name of the SAML attribute as defined in your IDP.

In the following example, the value in Collibra Console must be email. This is the used name in your IDP software, see the following screenshot.

Okta SAML settings email attribute

This field is mandatory.

Role

The mapping for the user roles. The value of this attribute must be the name of the SAML attribute as defined in your IDP.

In the following example, the value in Collibra Console must be role. This is the used name in your IDP software, see the following screenshot.

Okta SAML configuration role attribute

Group

The mapping to define which attribute holds group information. The value of this attribute must be the name of the SAML attribute as defined in your IDP.

In the following example, the value in Collibra Console must be groups. This is the used name in your IDP software, see the following screenshot.

Okta SAML configuration group attribute

If there is more than one group attribute statement, add them as comma-separated list.

SAML Requested authentication context

Settings for the SAML requested authentication context. The authentication context is the way in which the IDP authenticates the user. By default the authentication context will mandate user/password authentication over HTTPS.

Disable

Disable the SAML requested authentication context. Set to True if you wish to configure the IDP to use specific authentication contexts, without the need to send one in the request.

Comparison type

Specifies the comparison method used to evaluate the requested authentication context. One of: "exact", "minimum", "maximum", "better".

The industry default is "exact", other options are "minimum", "maximum" and "better".

Exact: The authn context in the assertion MUST exactly match the full expected context specified on the SP.
Minimum: The authn context in the assertion MUST be at least as strong as one of the contexts specified on the SP.
Better: The authn context in the assertion MUST be stronger than any of the contexts specified on the SP.
Maximum: The authn context in the assertion MUST be as strong as possible for all of the contexts specified on the SP, without exceeding the strength of at least one context.

For more details, see the SAML 2.0 specification (Section 3.3.2.2.1).

Reference list

All SAML authentication classes to be sent in the SAML authentication request. Use to tune the authentication context on the IDP side. Default="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" (Which means user/password over HTTPS). For more details, see the SAML 2.0 specification (Section 3.3.2.2.1 & Section 2.7.2.2).

Declaration list

All SAML authentication declarative classes to be sent in the SAML authentication request. For details, see the SAML 2.0 specification (Section 3.3.2.2.1 & Section 2.7.2.2).

Signout

The sign-out redirection settings.

Override signout URL

Enable this option to redirect to another page than the default sign-out page. The default page when you sign out is the Collibra Console sign-in page.

Signout redirect URL

The URL to redirect to when you sign out.

1.7.2 HTTP headers

The configuration of the HTTP response headers of Collibra Console.

Field	Description
URL pattern This setting requires the SUPER role.	The pattern of the URLs to which the HTTP response header is applied. This field supports wildcards such as `*`, ``, and `?`. Tip The following pattern matches all URLs: `/**`
HTTP headers This setting requires the SUPER role.	The HTTP response headers in a key-value format. You can add new HTTP response headers by clicking Add at the bottom of the section, and entering the HTTP response header name as the field key and the HTTP response header value as the field value.

Field

Description

URL pattern

This setting requires the SUPER role.

The pattern of the URLs to which the HTTP response header is applied.

This field supports wildcards such as **, *, and ?.

Tip The following pattern matches all URLs: /**

HTTP headers

This setting requires the SUPER role.

The HTTP response headers in a key-value format.

You can add new HTTP response headers by clicking Add at the bottom of the section, and entering the HTTP response header name as the field key and the HTTP response header value as the field value.