Configuring an externally managed JWT

This recommended method allows you to manage the generation and retrieval of access tokens. Once you have an access token, you can then call the API by including it as an authorization bearer token in the request header. Collibra Data Quality & Observability processes and validates this token and maps the user roles to grant users access to the application.

Image of SSO for API Usage page

Steps

  • Standalone
  • Kubernetes

  1. Sign in to Collibra Data Quality & Observability and click Cogwheel icon in the left navigation pane.

  2. Click Admin Console.
  3. Click Configuration Settings, then click Application Config.
    4. The Application Configuration Settings page opens.
  4. Set the SSO_API setting to TRUE.
  5. From the Admin Console treeview menu, click User Management, then API for SSO Usage.
    6. The SSO for API Usage page opens.
  6. Select the Allow External Tokens option to enable the acceptance of externally managed JSON Web Tokens (JWT).
  7. Set the following properties in the owl-env.sh script:
    8. Property Description
    export SECURITY_JWT_ALLOW_EXTERNAL=true Enables this globally in Collibra Data Quality & Observability, but still requires each tenant to enable this in the Allow External Tokens option from the SSO for API Usage from the User Management section of the Admin Console menu.
    export SECURITY_JWT_EXTERNAL_ROLE_CLAIM_ATTRIBUTE=<claim attribute> Maps to a property in the JWT that holds an array of ROLES that Collibra Data Quality & Observability uses to map users to roles.
    export SECURITY_JWT_EXTERNAL_USERNAME_PROPERTY=<username>

    Maps to a property in the JWT that Collibra Data Quality & Observability displays as the username.
    export SECURITY_JWT_TENANT_PROPERTY=<tenant>

    Required in multi-tenant environments. This property is included in the JWT claims to identify the Collibra Data Quality & Observability tenant that users are logging into.
    export SECURITY_JWT_TOKEN_ISSUER=<iss>

    The issuer of the JWT that is included in the process to validate the token.
    export SECURITY_JWT_TOKEN_JWKPROVIDERURL=<cert endpoint exposed by the IdP>

    An endpoint of the IdP where the certificates can be retrieved. This property is used to validate the token.

    You can retrieve the cert endpoint by accessing the oidc/.well-known/openid-configuration endpoint to return the jwks_uri in the response. For example, when you access https://{{subdomain}}.onelogin.com/oidc/2/.well-known/openid-configuration, the response shows the jwks_uri as "jwks_uri": "https://{{subdomain}}.onelogin.com/oidc/2/certs". In this case, the cert endpoint is https://{{subdomain}}.onelogin.com/oidc/2/certs.

  8. Restart the Collibra Data Quality & Observability web application.

Example of the JSON payload of a JWT

The following is an example of the decoded JSON payload of a JWT:

Copy 
{
  "sub": "123456789",
  "preferred_username": "example.user",
  "name": "Example User",
  "updated_at": 1234567890,
  "given_name": "Example",
  "family_name": "User",
  "groups": [
    "CollibraAdmin"
  ],
   "tenant": "public",
   "post_logout_redirect_uri": "http://localhost:9000/logout",
   "accountName": "example.user"
  },
  "aud": "012345a6-abc1-012a-0ab1-01a23b45cd6789012",
  "exp": 1234567890,
  "iat": 1234567890,
  "iss": "https://<subdomain>.onelogin.com/oidc/2"
}

In this example, the values used in the owl-env.sh correspond to the JSON payload properties as follows:

owl-env.sh property Value
SECURITY_JWT_EXTERNAL_USERNAME_PROPERTY example.user
SECURITY_JWT_TENANT_PROPERTY tenant
SECURITY_JWT_TOKEN_ISSUER https://<subdomain>.onelogin.com/oidc/2

  1. Sign in to Collibra Data Quality & Observability and click Cogwheel icon in the left navigation pane.

  2. Click Admin Console.
  3. Click Configuration Settings, then click Application Config.
    4. The Application Configuration Settings page opens.
  4. Set the SSO_API setting to TRUE.
  5. From the Admin Console treeview menu, click User Management, then API for SSO Usage.
    6. The SSO for API Usage page opens.
  6. Select the Allow External Tokens option to enable the acceptance of externally managed JSON Web Tokens (JWT).
  7. Set the following properties in the values.yaml file:
    8. Copy 
     security:
       externalJwt:
         enabled: false
         externalRoleClaim: "groups"
         externalUserNamePropName: "accountName"
         externalTenantPropName: "tenant"
         externalTokenIssuer: ""
         externalTokenJwkProviderURL: ""

  8. Restart the Collibra Data Quality & Observability web pod.

Example of a JSON payload of a JWT

The following is an example of the JSON payload of a JWT:

Copy 
{
  "sub": "123456789",
  "preferred_username": "example.user",
  "name": "Example User",
  "updated_at": 1234567890,
  "given_name": "Example",
  "family_name": "User",
  "groups": [
    "CollibraAdmin"
  ],
   "tenant": "public",
   "post_logout_redirect_uri": "http://localhost:9000/logout",
   "accountName": "example.user"
  },
  "aud": "012345a6-abc1-012a-0ab1-01a23b45cd6789012",
  "exp": 1234567890,
  "iat": 1234567890,
  "iss": "https://<subdomain>.onelogin.com/oidc/2"
}

In this example, the values used in the Web ConfigMap correspond to the JSON payload properties as follows:

Web ConfigMap property Value
SECURITY_JWT_EXTERNAL_USERNAME_PROPERTY example.user
SECURITY_JWT_TENANT_PROPERTY tenant
SECURITY_JWT_TOKEN_ISSUER https://<subdomain>.onelogin.com/oidc/2