Configuring an externally managed JWT

This recommended method allows you to manage the generation and retrieval of access tokens. Once you have an access token, you can then call the API by including it as an authorization bearer token in the request header. Data Quality & Observability Classic processes and validates this token and maps the user roles to grant users access to the application.

Image of SSO for API Usage page

Steps

  • Standalone
  • Kubernetes

  1. Sign in to Data Quality & Observability Classic and click Cogwheel icon in the left navigation pane.

  2. Click Admin Console.
  3. Click Configuration Settings, then click Application Config.
    4. The Application Configuration Settings page opens.
  4. Set the SSO_API setting to TRUE.
  5. From the Admin Console treeview menu, click User Management, then API for SSO Usage.
    6. The SSO for API Usage page opens.
  6. Select the Allow External Tokens option to enable the acceptance of externally managed JSON Web Tokens (JWT).
  7. Set the following properties in the owl-env.sh script:
    8. Property Description
    export SECURITY_JWT_ALLOW_EXTERNAL=true Enables this globally in Data Quality & Observability Classic, but still requires each tenant to enable this in the Allow External Tokens option from the SSO for API Usage from the User Management section of the Admin Console menu.
    export SECURITY_JWT_EXTERNAL_ROLE_CLAIM_ATTRIBUTE=<claim attribute> Maps to a property in the JWT that holds an array of ROLES that Data Quality & Observability Classic uses to map users to roles.
    export SECURITY_JWT_EXTERNAL_USERNAME_PROPERTY=<username>

    Maps to a property in the JWT that Data Quality & Observability Classic displays as the username.
    export SECURITY_JWT_TENANT_PROPERTY=<tenant>

    Required in multi-tenant environments. This property is included in the JWT claims to identify the Data Quality & Observability Classic tenant that users are logging into.
    export SECURITY_JWT_TOKEN_ISSUER=<iss>

    The issuer of the JWT that is included in the process to validate the token.
    export SECURITY_JWT_TOKEN_JWKPROVIDERURL=<cert endpoint exposed by the IdP>

    An endpoint of the IdP where the certificates can be retrieved. This property is used to validate the token.

    You can retrieve the cert endpoint by accessing the oidc/.well-known/openid-configuration endpoint to return the jwks_uri in the response. For example, when you access https://{{subdomain}}.onelogin.com/oidc/2/.well-known/openid-configuration, the response shows the jwks_uri as "jwks_uri": "https://{{subdomain}}.onelogin.com/oidc/2/certs". In this case, the cert endpoint is https://{{subdomain}}.onelogin.com/oidc/2/certs.

  8. Restart the Data Quality & Observability Classic web application.

Example of the JSON payload of a JWT

The following is an example of the decoded JSON payload of a JWT:

Copy 
{
  "sub": "123456789",
  "preferred_username": "example.user",
  "name": "Example User",
  "updated_at": 1234567890,
  "given_name": "Example",
  "family_name": "User",
  "groups": [
    "CollibraAdmin"
  ],
   "tenant": "public",
   "post_logout_redirect_uri": "http://localhost:9000/logout",
   "accountName": "example.user"
  },
  "aud": "012345a6-abc1-012a-0ab1-01a23b45cd6789012",
  "exp": 1234567890,
  "iat": 1234567890,
  "iss": "https://<subdomain>.onelogin.com/oidc/2"
}

In this example, the values used in the owl-env.sh correspond to the JSON payload properties as follows:

owl-env.sh property Value
SECURITY_JWT_EXTERNAL_USERNAME_PROPERTY example.user
SECURITY_JWT_TENANT_PROPERTY tenant
SECURITY_JWT_TOKEN_ISSUER https://<subdomain>.onelogin.com/oidc/2

  1. Sign in to Data Quality & Observability Classic and click Cogwheel icon in the left navigation pane.

  2. Click Admin Console.
  3. Click Configuration Settings, then click Application Config.
    4. The Application Configuration Settings page opens.
  4. Set the SSO_API setting to TRUE.
  5. From the Admin Console treeview menu, click User Management, then API for SSO Usage.
    6. The SSO for API Usage page opens.
  6. Select the Allow External Tokens option to enable the acceptance of externally managed JSON Web Tokens (JWT).
  7. Set the following properties in the values.yaml file:
    8. Copy 
     security:
       externalJwt:
         enabled: false
         externalRoleClaim: "groups"
         externalUserNamePropName: "accountName"
         externalTenantPropName: "tenant"
         externalTokenIssuer: ""
         externalTokenJwkProviderURL: ""

  8. Restart the Data Quality & Observability Classic web pod.

Example of a JSON payload of a JWT

The following is an example of the JSON payload of a JWT:

Copy 
{
  "sub": "123456789",
  "preferred_username": "example.user",
  "name": "Example User",
  "updated_at": 1234567890,
  "given_name": "Example",
  "family_name": "User",
  "groups": [
    "CollibraAdmin"
  ],
   "tenant": "public",
   "post_logout_redirect_uri": "http://localhost:9000/logout",
   "accountName": "example.user"
  },
  "aud": "012345a6-abc1-012a-0ab1-01a23b45cd6789012",
  "exp": 1234567890,
  "iat": 1234567890,
  "iss": "https://<subdomain>.onelogin.com/oidc/2"
}

In this example, the values used in the Web ConfigMap correspond to the JSON payload properties as follows:

Web ConfigMap property Value
SECURITY_JWT_EXTERNAL_USERNAME_PROPERTY example.user
SECURITY_JWT_TENANT_PROPERTY tenant
SECURITY_JWT_TOKEN_ISSUER https://<subdomain>.onelogin.com/oidc/2