Migrating to a custom SAML keystore

To improve the security of Collibra Data Quality & Observability, we removed the default keystore password from the installation packages in the Collibra Data Quality & Observability 2024.07 release. This page shows you how to migrate to a custom SAML keystore.

Depending on whether your organization has SSL enabled, there are two options for configuring a custom SAML keystore.

  • With SSL enabled
  • Without SSL enabled
  1. In the owl-env.sh for Standalone or Web ConfigMap for Cloud Native deployments of Collibra Data Quality & Observability, set the SAML properties for the keystore the same as the SSL keystore file. For example:
    2. Copy 
    #enable SAML & show the SAML SSO option on the login page
    SAML_ENABLED=true

    #set SSL communication properties for SAML
    SAML_KEYSTORE_FILE=file:/etc/ssl/dev-keystore.jks
    SAML_KEYSTORE_PASS=****
    SAML_KEYSTORE_ALIAS=****

    #set the name of the IdP variable to hold the user roles in the response
    SAML_ROLES_PROP_NAME=memberOf

    #set the EntityId of the application to be supplied to the IdP
    SAML_ENTITY_ID=OwlOneLogin

    #optionally use a file for the IdP metadata vs a URL (default is true)
    SAML_METADATA_USE_URL=false
    Variable Description
    SAML_ENABLED

    Whether Collibra Data Quality & Observability uses SAML.

    If set to false, users sign in with a username and password.

    If set to true, SAML handles the authentication request.
    SAML_KEYSTORE_FILE This path can be changed to any path as long as it contains the public and private key combination to be used by Collibra Data Quality & Observability and necessary certificates required for SAML.
    SAML_KEYSTORE_PASS The password used while creating the public and private key for the keystore file.
    SAML_KEYSTORE_ALIAS The alias used while creating the public and private key for the keystore file.
    SAML_ROLES_PROP_NAME The name of the IdP variable to hold the user roles in the response.
    SAML_ENTITY_ID The unique identifier for the SP entity that must match the SP entity ID used in the IdP circle of trust configuration.
    SAML_METADATA_USE_URL

    Whether Collibra DQ uses a URL or a file for the identity provider metadata.

    Set to false for file-based SAML and true for URL-based configurations.
  2. Start the Collibra Data Quality & Observability application.
  3. (Required only if signing or encrypting SAML assertion) Download the Collibra Data Quality & Observability SP metadata from the https://<your_dq_environment_url>/saml/metadata endpoint and share it with the IdP to configure the SP.

Important When using SAML in its current implementation, you must enable SSL to use a custom keystore. If you rely on a Load Balancer to manage SSL, you can still enable SSL by stopping SSL at the Load Balancer. You can also enable an HTTP port to allow a Load Balancer to connect to it, as shown in step 3 on the Without SSL enabled tab of the Migrating to a custom SAML keystore topic. In a future release, we plan to provide support for custom keystores without SSL enabled.

  1. Create a keystore file, as demonstrated in Setting up SSL (HTTPS).
  2. For Cloud Native deployments of Collibra Data Quality & Observability:
    1. Create a K8s secret using the keystore file:
      2. Copy
      kubectl create secret generic dq-ssl-secret --from-file <file-name.jks> --namespace <dev>

    2. Mount the JKS file through the following Helm Charts variable:

      3. Copy
      --set global.web.tls.enabled=true --set global.web.security.saml.keyStoreFile=file:///etc/ssl/dqkeystore.jks --set global.web.security.saml.keyStoreAlias=<alias-name> --set global.web.security.saml.keyStorePass=<keystore-pass>
  3. Start the Collibra Data Quality & Observability application.
  4. Download the Collibra Data Quality & Observability SP metadata from the https://<your_dq_environment_url>/saml/metadata endpoint and share it with the IdP to configure the SP.