Using Collibra DQ as a proxy to the IdP

Important While this method is supported, we recommend using the externally managed JWTs method instead.

This method calls the IdP to retrieve the access_token itself. Collibra Data Quality & Observability has an /oath/signin endpoint, which accepts username, password, iss (tenantname) parameters. Collibra Data Quality & Observability sends these inputs to the IdP to retrieve an access_token, which Collibra Data Quality & Observability then uses to extract the information it needs to create its own token.

Image of SSO for API Usage page

Steps

  1. Sign in to Collibra Data Quality & Observability and click Cogwheel icon in the left navigation pane.

  2. Click Admin Console.
  3. Click Configuration Settings, then click Application Config.
    4. The Application Configuration Settings page opens.
  4. Set the SSO_API setting to TRUE.
  5. From the Admin Console treeview menu, click User Management, then API for SSO Usage.
    6. The SSO for API Usage page opens.
  6. Select the Enable DQ Proxy to IdP option.
  7. Enter the required information.
    8. Field Description
    Enable DQ proxy to IdP Enables SSO for APIs.
    IdP Token URL

    The token endpoint URL of the identity provider (IdP).

    Example https://<your_domain>/oidc/2/token
    Grant Type

    The grant type used for authentication.

    Note The only option currently available is Password.
    Parameters

    Static query parameters that are appended to the call to the IdP. This is typically found in the URL of the IdP and is specific to the IdP implementation.

    Example client_id=012345a6-abc1-012a-0ab1-01a23b45cd6789012
    Role Claim Attribute

    Attributes in the claims array from the access_token that define where DQ roles and user groups should be mapped.

    Example params,Groups
    Scope

    Optional. IdP-specific properties that define the scope of what is returned in the access_token from the OAuth or OIDC request.

    Example openid groups params profile

  8. Click Save.

Available global configurations

  • Standalone
  • Cloud Native
owl-env.sh property Description Default value
export SECURITY_OAUTH_USECLIENTAUTHORIZATIONHEADER=<value> This is the useClientAuthorizationHeader IdP value. When set to TRUE, this configuration attempts to use clientID and clientSecret to build an authorization header for the IdP request. FALSE
export SECURITY_OAUTH_CLIENTID=<value> This is the clientID IdP value, which Collibra Data Quality & Observability uses to build the authorization header when useClientAuthorizationHeader is enabled. N/A
export SECURITY_OAUTH_CLIENTSECRET=<value> This is the clientSecret IdP value, which Collibra Data Quality & Observability uses to build the authorization header when useClientAuthorizationHeader is enabled. N/A
export SECURITY_OAUTH_FALLBACK_ROLES_IDTOKEN=<value>

When set to TRUE, if the access_token fails, Collibra Data Quality & Observability extracts the roles information from the id_token.

 FALSE
Web ConfigMap property Description Default value
SECURITY_OAUTH_USECLIENTAUTHORIZATIONHEADER: <value> This is the useClientAuthorizationHeader IdP value. When set to TRUE, this configuration attempts to use clientID and clientSecret to build an authorization header for the IdP request. FALSE
SECURITY_OAUTH_CLIENTID: <value> This is the clientID IdP value, which Collibra Data Quality & Observability uses to build the authorization header when useClientAuthorizationHeader is enabled. N/A
SECURITY_OAUTH_CLIENTSECRET: <value> This is the clientSecret IdP value, which Collibra Data Quality & Observability uses to build the authorization header when useClientAuthorizationHeader is enabled. N/A
SECURITY_OAUTH_FALLBACK_ROLES_IDTOKEN: <value>

When set to TRUE, if the access_token fails, Collibra Data Quality & Observability extracts the roles information from the id_token.

 FALSE