Skip to main content

SAML SSO Configuration

SAML (Security Assertion Markup Language) SSO enables users to authenticate with enterprise identity providers such as ADFS, Shibboleth, or Okta. This setup allows secure, federated login to Collate through SAML assertions. This guide walks you through configuring Collate with a SAML provider using Confidential client settings (Client ID + Client Secret).

Overview

Collate supports Single Sign-On (SSO) integration with various identity providers, enabling secure, centralized user authentication.
  • Navigate to: Settings > SSO
SSO Authentication
  • Select the service provider.
Supported Providers Click Configure to set up Single Sign-On (SSO). After completing the configuration, click Save to apply the changes. SAML SSO Configuration

Configuration Fields

This section contains the form fields that must be completed when setting up Single Sign-On (SSO).

Client ID

  • Definition: Client identifier for this SAML configuration.
  • Example: saml-client-123
  • Why it matters: Useful for tracking and management.
  • Note: Optional in SAML setup.

Enable Self Signup

  • Definition: Allows new users to auto-create accounts on first login.
  • Options: Enabled | Disabled
  • Example: Enabled

Public Key URLs

  • Definition: URLs for verifying JWT signatures (used if SAML generates JWT).
  • Example: ["https://yourapp.company.com/.well-known/jwks.json"]

IdP Entity ID

  • Definition: Identifier for your Identity Provider (IdP).
  • Example: https://adfs.company.com/adfs/services/trust

SSO Login URL

  • Definition: URL where users are redirected to log in with your IdP.
  • Example: https://adfs.company.com/adfs/ls/

IdP X.509 Certificate

  • Definition: Certificate used to verify incoming SAML assertions.
  • Note: Must include the full certificate with BEGIN and END lines.

Authority URL

  • Definition: Used for IdP-initiated login flows.
  • Example: https://adfs.company.com/adfs/ls/idpinitiatedsignon.aspx

Name ID Format

  • Definition: Format used to identify users.
  • Default/Example: urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress

Assertion Consumer Service (ACS) URL

  • Definition: URL where SAML assertions are sent post-authentication.
  • Example: https://openmetadata.company.com/api/v1/saml/acs

SP X.509 Certificate

  • Definition: Collate’s public certificate.
  • Note: Required if you want to sign authentication requests.

SP Private Key

  • Definition: Used to sign SAML requests or decrypt assertions.
  • Note: Must be stored securely.

SP Callback URL

  • Definition: Redirect path after successful login.
  • Example: https://openmetadata.company.com/saml/callback

Token Validity

  • Definition: Token expiration time in seconds.
  • Default: 3600
  • Example: 7200

Send Signed Auth Request

  • Definition: Whether to sign SAML requests from Collate.
  • Default: false
  • Example: true

Want Messages Signed

  • Definition: Require SAML messages to be signed by IdP.
  • Default: false
  • Example: true

Want Assertions Signed

  • Definition: Require assertions to be signed by IdP.
  • Default: false
  • Example: true

Debug Mode

  • Definition: Enable detailed logs for SAML login attempts.
  • Default: false
  • Example: true
  • Note: Use only for troubleshooting. Disable in production.

JWT Principal Claims

  • Definition: Claims used to identify the user (when SAML generates JWT).
  • Example: ["preferred_username", "email", "sub"]

JWT Principal Claims Mapping

  • Definition: Maps SAML/JWT claims to Collate user fields.
  • Example: ["email:email", "name:displayName", "firstName:given_name"]

Admin Principals

Principal Domain

  • Definition: Default domain used to resolve user identity.
  • Example: company.com

Enforce Principal Domain

  • Definition: Restrict access to users within a specific domain.
  • Default: false
  • Example: true

Enable Secure Socket Connection

  • Definition: Enable SSL/TLS for secure SAML communication.
  • Default: false
  • Example: true
  • Note: Strongly recommended for production environments.

✅ Summary Table

FieldExample / Default
Client IDsaml-client-123
Enable Self SignupEnabled
Public Key URLshttps://yourapp.company.com/.well-known/jwks.json
IdP Entity IDhttps://adfs.company.com/adfs/services/trust
SSO Login URLhttps://adfs.company.com/adfs/ls/
IdP X509 CertificateMultiline PEM certificate
Authority URLhttps://adfs.company.com/adfs/ls/idpinitiatedsignon.aspx
Name ID Formaturn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress
ACS URLhttps://openmetadata.company.com/api/v1/saml/acs
SP X509 CertificateMultiline PEM certificate
SP Private KeyMultiline PEM private key
SP Callback URLhttps://openmetadata.company.com/saml/callback
Token Validity3600
Send Signed Auth Requesttrue
Want Messages Signedtrue
Want Assertions Signedtrue
Debug Modefalse
JWT Principal Claims[“preferred_username”, “email”, “sub”]
JWT Mapping[“email:email”, “name:displayName”, “firstName:given_name”]
Admin Principals[“[email protected]”, “[email protected]”]
Principal Domaincompany.com
Enforce Principal Domainfalse
SSL/TLStrue

Troubleshooting

If users are automatically logged out and unable to log in again due to a bad authentication configuration, you can reset the security setup using the following command: 

./bootstrap/openmetadata-ops.sh remove-security-config --force
After executing the command, restart the server. The authentication values from your YAML or Helm chart will then be reapplied on startup. The following tiles detail how to apply this configuration across Docker, Kubernetes, and Bare Metal deployments:

Docker Security

Configure SSO for your Docker deployment.

Bare Metal Security

Configure SSO for your bare metal deployment.

Kubernetes Security

Configure SSO for your Kubernetes deployment.