SAML Authentication

You can integrate Collibra Data Quality & Observability with an existing SAML solution and have your application act as a service provider. Once you set up the environment variables, you can access and configure SAML security settings as an administrator in the SAML Setup section of the Admin Console.

In this topic

Set the SAML authentication properties

Before configuring SAML authentication, you must add the following required properties to your configuration.

Standalone installation

Add the properties as environment variables to your owl-env.sh file located in <installation_directory>/owl/config/.
Prefix all properties with the export statement.
Restart the DQ Web app.

Cloud native installation

Add the properties as environment variables to your owl-web ConfigMap.
Recycle the pod.

Required properties

Property Description

SAML_ENABLED

Property	Description
SAML_ENABLED	Whether Collibra DQ uses SAML. If set to `false`, users sign in with a username and password. If set to `true`, SAML handles the authentication request.
SAML_ENTITY_ID	The name of the application for the identity provider, for example Collibra DQ. It is an immutable unique identifier of the service provider for the Identity Provider (IdP).
SAML_ENTITY_BASEURL	The base URL that is provided in the service provider metadata. Set this property when you use DNS.

Whether Collibra DQ uses SAML.

If set to false, users sign in with a username and password.

If set to true, SAML handles the authentication request.

SAML_ENTITY_ID

The name of the application for the identity provider, for example Collibra DQ.

It is an immutable unique identifier of the service provider for the Identity Provider (IdP).

SAML_ENTITY_BASEURL

The base URL that is provided in the service provider metadata.

Set this property when you use DNS.

Warning See CORS_ALLOWED_ORIGINS in the Optional properties section below if you have SAML configured in DQ, or if the app sits behind a load balancer.

Optional properties: general

You can further configure your SAML setup with the following optional properties.

Property Description

CORS_ALLOWED_ORIGINS Allows cross-origin requests between Collibra DQ and SAML.

Replace ${IDP-BASE-URL} with the value of the actual IdP URL. For example, https://ping.auth.com/.

Replace ${DQ-BASE-URL} with the value of the actual DQ Base URL. For example, https://dq-env.com.

SAML_LB_EXISTS

Whether the application needs to configure a load balancer.

You generally need this setting only when the Load Balancer is set for SSL Termination.

The default value is false.

If set to true, you must also provide a value for SAML_LB_SERVER_NAME.

SAML_ROLES_PROP_NAME

The attribute in which the identity provider stores the role of the user authenticating in the SAML response.

The default value is memberOf.

SAML_GRANT_ALL_PUBLIC

Whether any user authenticated by the identity provider is allowed to login the Collibra DQ application.

The default value is true.

SAML_USER_NAME_PROP The name of the attribute in the SAML response that contains the username of the user who is authenticating.

SAML_TENANT_PROP_NAME

If using multi-tenant mode, the variable in which the identity provider stores the tenant name of the user authenticating in the SAML response.

The app will attempt to use the RelayState parameter to identify the tenant and then fall back on this property.

SAML_KEYSTORE_FILE

The path to the keystore for SSL validation.

The store should contain the keypair of the identity provider for SSL verification.

SAML_KEYSTORE_PASS The password for the keystore provided in SAML_KEYSTORE_FILE.

SAML_KEYSTORE_ALIAS The alias of the keypair (private and public) in the keystore used for SSL verification.

LOCAL_REGISTRATION_ENABLED

An optional property which allows you to display or hide the registration link for local users on the Collibra DQ sign-in page. Because the registration link is displayed on the sign-in page by default, this property is set to true.

To display or hide the registration link from the owl-env.sh file, select from the following properties:

Property	Description
export LOCAL_REGISTRATION_ENABLED=true	Displays the registration link on the sign-in page for local users. This is set to `true` by default.
export LOCAL_REGISTRATION_ENABLED=false	Hides the registration link on the sign-in page for local users.

To display or hide the registration link from a K8s ConfigMap, select the from the following properties:

Property	Description
LOCAL_REGISTRATION-ENABLED:"true"	Displays the registration link on the sign-in page for local users. This is set to `true` by default.
LOCAL_REGISTRATION-ENABLED:"false"	Hides the registration link on the sign-in page for local users.

Note This property must be set globally on deployment.

Note While CORS is still an optional configuration, it is required if you have SAML configured in Collibra DQ, or if you have Collibra DQ behind a load balancer.

CORS is also enforced for multi-tenancy.

Download service provider metadata for the IdP

Once you have enabled and configured SAML authentication, you can download the service provider metadata that is required by your identity provider from https://<your_dq_environment_url>/saml/metadata/SSO.

Important If you use Collibra Data Quality & Observability with a Java version older than 17, such as Java 11, download your service provider metadata from https://<your_dq_environment_url>/saml/metadata instead.

Enable the SAML SSO sign in option

When you are ready with your IdP settings, add the final configuration settings in the Admin Console:

Sign in to Collibra Data Quality & Observability as an administrator with a username and password to the tenant you want to configure.
Click Admin Console.
Click User Management, then click SAML Security.

The SAML Security Settings page opens.

Click the SAML Enabled dropdown menu, then select Enabled.
Under the SAML Enabled dropdown menu, to the far right side of the page, click .

The Add Meta Data Configuration dialog box appears.

Enter the required information.

Option	Description
Meta-Data URL	The URL of the identity provider metadata XML file or the location of the downloaded XML file, depending on how you configured the SAML_METADATA_USE_URL property. Important The name of the XML file must begin with the prefix file: and typically uses file:/opt/owl/config/idp-metadata.xml format.
Meta-Data Label	The name for this specific configuration.
IDP URL	The URL of the Collibra DQ application that is provisioned by the identity provider.

Option

Description

Meta-Data URL

The URL of the identity provider metadata XML file or the location of the downloaded XML file, depending on how you configured the SAML_METADATA_USE_URL property.

Important The name of the XML file must begin with the prefix file: and typically uses file:/opt/owl/config/idp-metadata.xml format.

Meta-Data Label

The name for this specific configuration.

IDP URL

The URL of the Collibra DQ application that is provisioned by the identity provider.

Click Add.

After you complete this setup, you can restart your application and sign in using the SAML SSO option.

Note SAML SSO authentication via the /v3/auth/signin API is not supported.

Note SAML authentication is only supported for IdP-initiated requests.