You can integrate Collibra Data Quality & Observability with an existing SAML solution and have your application act as a service provider. Once you set up the environment variables, you can access and configure SAML security settings as an administrator in the SAML Setup section of the Admin Console.
Set the SAML authentication properties
Before configuring SAML authentication, you must add the following required properties to your configuration.
Standalone installation
- Add the properties as environment variables to your owl-env.sh file located in <installation_directory>/owl/config/.
- Prefix all properties with the
exportstatement. - Restart the DQ Web app.
Cloud native installation
- Add the properties as environment variables to your owl-web ConfigMap.
- Recycle the pod.
Required properties
| Property | Description |
|---|---|
| SAML_ENABLED |
Whether Collibra DQ uses SAML. If set to If set to |
| SAML_ENTITY_ID |
The name of the application for the identity provider, for example Collibra DQ. It is an immutable unique identifier of the service provider for the identity provider (IDP). |
Warning See CORS_ALLOWED_ORIGINS in the Optional properties section below if you have SAML configured in DQ, or if the app sits behind a load balancer.
Optional properties: general
You can further configure your SAML setup with the following optional properties.
| Property | Description | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| CORS_ALLOWED_ORIGINS | Allows cross-origin requests between Collibra DQ and SAML. Replace ${IDP-BASE-URL} with the value of the actual IdP URL. For example, https://ping.auth.com/.Replace ${DQ-BASE-URL} with the value of the actual DQ Base URL. For example, https://dq-env.com. |
||||||||||||
| SAML_ENTITY_BASEURL |
The base URL that is provided in the service provider metadata. Set this property when you use DNS. |
||||||||||||
| SAML_LB_EXISTS |
Whether the application needs to configure a load balancer. You generally need this setting only when the Load Balancer is set for SSL Termination. The default value is If set to |
||||||||||||
| SAML_METADATA_USE_URL |
Whether Collibra DQ uses a URL or a file for the identity provider metadata. The default value is If set to |
||||||||||||
| SAML_ROLES_PROP_NAME |
The attribute in which the identity provider stores the role of the user authenticating in the SAML response. The default value is |
||||||||||||
| SAML_GRANT_ALL_PUBLIC |
Whether any user authenticated by the identity provider is allowed to login the Collibra DQ application. The default value is |
||||||||||||
| SAML_USER_NAME_PROP | The name of the attribute in the SAML response that contains the username of the user who is authenticating. | ||||||||||||
| SAML_TENANT_PROP_NAME |
If using multi-tenant mode, the variable in which the identity provider stores the tenant name of the user authenticating in the SAML response. The app will attempt to use the |
||||||||||||
| SAML_KEYSTORE_FILE |
The path to the keystore for SSL validation. The store should contain the keypair of the identity provider for SSL verification. |
||||||||||||
| SAML_KEYSTORE_PASS | The password for the keystore provided in SAML_KEYSTORE_FILE. |
||||||||||||
| SAML_KEYSTORE_ALIAS | The alias of the keypair (private and public) in the keystore used for SSL verification. | ||||||||||||
| LOCAL_REGISTRATION_ENABLED |
An optional property which allows you to display or hide the registration link for local users on the Collibra DQ sign-in page. Because the registration link is displayed on the sign-in page by default, this property is set to true.
To display or hide the registration link from a K8s ConfigMap, select the from the following properties:
Note This property must be set globally on deployment. |
Note While CORS is still an optional configuration, it is required if you have SAML configured in Collibra DQ, or if you have Collibra DQ behind a load balancer.
CORS is also enforced for multi-tenancy.
Optional Properties: Metadata
When SAML_METADATA_USE_URL is set to true (default), the following additional properties are available.
| Property | Description |
|---|---|
| SAML_METADATA_TRUST_CHECK |
Whether to enable Collibra DQ to do trust verification of the identity provider. The default value is |
| SAML_METADATA_REQUIRE_SIGNATURE |
Whether Collibra DQ signs authentication requests to the identity provider. The default value is |
| SAML_INCLUDE_DISCOVERY_EXTENSION |
Whether to enable Collibra DQ to indicate in the SAML metadata that it’s able to consume responses from an IDP Discovery Service. The default value is |
Optional Properties: Load Balancer
When SAML_LB_EXISTS is set to true, the following additional properties are available.
| Property | Description |
|---|---|
| SAML_LB_INCLUDE_PORT_IN_REQUEST |
Whether to include the port number in the request. The default value is |
| SAML_LB_PORT |
The port number of the load balancer. The default value is |
| SAML_LB_SCHEME |
The protocol of the load balancer. The default value is |
| SAML_LB_SERVER_NAME |
The server or DNS name. Usually, the same as SAML_ENTITY_BASEURL without specifying the protocol, for example without https://. This property is required and has no default. |
| SAML_LB_CONTEXT_PATH | Any path that may be defined on the load balancer. |
Example
#enable SAML & show the SAML SSO option on the login page
SAML_ENABLED=true
#set SSL communication properties for SAML
SAML_KEYSTORE_FILE=/keystore.p12
SAML_KEYSTORE_PASS=****
SAML_KEYSTORE_ALIAS=****
#in multi-tenant mode set the name of the IDP variable to hold the tenat name
SAML_TENANT_PROP_NAME=tenant
#set the name of the IDP variable to hold the user roles in the response
SAML_ROLES_PROP_NAME=memberOf
#allow login if authenticated to the IDP
SAML_GRANT_ALL_PUBLIC=true
#set the EntityId of the application to be supplied to the IDP
SAML_ENTITY_ID=OwlOneLogin
#optinally set a property that contains the username in the response
SAML_USER_NAME_PROP=""
#optionally use a file for the IDP metadata vs a URL (default is true)
SAML_METADATA_USE_URL=false
#optional security settings to
SAML_METADATA_TRUST_CHECK=false
SAML_METADATA_REQUIRE_SIGNATURE=false
SAML_INCLUDE_DISCOVERY_EXTENSION=falseDownload service provider metadata for the IdP
Once you have enabled and configured SAML authentication, you can download the service provider metadata that is required by your identity provider from https://<your_dq_environment_url>/saml/metadata.
Enable the SAML SSO sign in option
When you are ready with your IdP settings, add the final configuration settings in the Admin Console:
- Sign in as an existing administrator with a username and password to the tenant you want to configure.
- Select SAML Setup from the Admin Console.
- Select the SAML Enabled checkbox in the Connection tab.
- Select +Add in the Meta Data Configurations section.
- Enter the required information.
| Option | Description |
|---|---|
| Meta-Data URL | The URL of the identity provider metadata XML file or the location of the downloaded XML file, depending on how you configured the SAML_METADATA_USE_URL property. |
| Meta-Data Label | The name for this specific configuration. |
| IDP URL | The URL of the Collibra DQ application that is provisioned by the identity provider. |
-
Click Save.
Once you complete this setup, you can restart your application and sign in using the SAML SSO option.
Note SAML SSO authentication via the /v3/auth/signin API is not supported.
Note In single-tenant mode, Collibra DQ supports both SP-initiated and IdP-initiated authentication. However, in multi-tenant mode, only IdP-initiated authentication is supported due to a limitation in sharing tenant information with the IdP through the SAML request.