Area: Deployment
Sub-Area: Authentication
Issue
Single Sign-On (SSO) or OIDC authentication is not working, users cannot log in, or authentication redirects fail. This typically occurs due to incorrect client ID/secret configuration, callback URL mismatches, or missing claims in the identity provider.
Common Error Messages:
Invalid redirect URIOIDC authentication failedInvalid client credentialsMissing required claim: email
You Might Be Asking:
- How do I configure OIDC for DataHub?
- Why am I getting redirect URI errors?
- What claims does DataHub require from the IdP?
Solution
- Configure OIDC in application.yml:
auth:
oidc:
enabled: true
clientId: "${OIDC_CLIENT_ID}"
clientSecret: "${OIDC_CLIENT_SECRET}"
discoveryUri: "https://your-idp.com/.well-known/openid-configuration"
# User claim mappings
userNameClaim: "email"
userNameClaimRegex: "([^@]+)" # Extract username from email
# Group mappings (optional)
groupsClaim: "groups"
# Optional: JIT provisioning
preProvisioning:
enabled: true
- Set correct callback URLs in IdP:
# Add these URLs to your IdP's allowed redirect URIs:
https://your-datahub.com/callback/oidc
https://your-datahub.com/callback
# For local development:
http://localhost:9002/callback/oidc
- For Okta configuration:
Example for Okta. This can be adapted for other identity providers.
auth:
oidc:
enabled: true
clientId: "${OKTA_CLIENT_ID}"
clientSecret: "${OKTA_CLIENT_SECRET}"
discoveryUri: "https://your-domain.okta.com/.well-known/openid-configuration"
scope: "openid profile email groups"
userNameClaim: "email"
groupsClaim: "groups"
- For Azure AD / Microsoft Entra:
Example for Azure AD. This can be adapted for other identity providers.
auth:
oidc:
enabled: true
clientId: "${AZURE_CLIENT_ID}"
clientSecret: "${AZURE_CLIENT_SECRET}"
discoveryUri: "https://login.microsoftonline.com/{tenant-id}/v2.0/.well-known/openid-configuration"
scope: "openid profile email"
userNameClaim: "preferred_username"
userNameClaimRegex: "([^@]+)"
- Debug authentication issues:
# Check GMS logs for auth errors
kubectl logs deployment/datahub-gms | grep -i "oidc\|auth"
# Verify OIDC discovery endpoint
curl https://your-idp.com/.well-known/openid-configuration
# Test with verbose logging
# Add to application.yml:
logging:
level:
com.datahub.authentication: DEBUG
Additional Notes
Ensure your IdP returns required claims (email, name) in the ID token. Group-based access control requires the groups claim to be present. Consider enabling JIT (Just-In-Time) provisioning to automatically create users on first login.
Related Documentation
Tags:
sso, oidc, authentication, okta, azure-ad, login, oauth, saml, identity-provider, security