Summary
Rework the SSO configuration to simplify from 8 provider-specific options to 3 protocol-based choices (OIDC / SAML / LDAP), add a Test Login flow for claim verification, and prevent user lockouts caused by incorrect claim mapping.
Problem
- SSO config exposes 8 provider options (Google, Azure, Okta, Auth0, Cognito, Custom OIDC, SAML, LDAP) when there are really only 3 protocols
jwtPrincipalClaims fallback list silently picks the wrong claim → user lockouts with no clear error- "Public/Confidential" client type is OAuth jargon that confuses admins
- No way to validate SSO config works before saving
Proposed Changes
UI Simplification
- 3 protocol cards (OIDC / SAML / LDAP) as top-level selection
- OIDC: provider dropdown (Google, Azure, Okta, Auth0, Cognito, Other) for Discovery URI pre-fill and help text
- 3 primary fields only: Discovery URI, Client ID, Client Secret
- "Public/Confidential" replaced with pre-selected "With Client Secret (recommended)" toggle
- All other fields auto-derived or moved to Advanced settings
Test Login (Core Feature)
- OIDC/SAML: Browser popup → admin authenticates with IdP → system extracts claims/attributes → admin confirms email claim → auto-fills emailClaim, adminPrincipal, principalDomain
- LDAP: Inline form (username + password) → validates bind + mail attribute → auto-fills same fields
- New setups: Test Login required before save (guided flow)
- Existing configs: Smart save — Test Login only triggered when lockout-risk fields change (discoveryUri, clientId, scope, etc.). Safe fields (tokenValidity, selfSignup, etc.) save directly
- Test Login does NOT interfere with the admin's current session — uses separate endpoints, no session/cookie modification
Schema Changes
- Add optional
discoveryUri to top-level authenticationConfiguration — single source of truth for both public and confidential flows. Authority, publicKeyUrls auto-derived from it.
- Add optional
emailClaim — set via Test Login, overrides legacy jwtPrincipalClaims fallback
- Email claim priority:
jwtPrincipalClaimsMapping (existing, highest) → emailClaim (new) → jwtPrincipalClaims (legacy fallback)
- Explicit config (
emailClaim or jwtPrincipalClaimsMapping) missing claim → hard fail with clear error. Legacy fallback → soft matching (existing behavior, zero regression)
SAML Email Contract
- OpenMetadata reads email from a fixed SAML attribute named
email (case-insensitive)
- Customers configure their IdP to send this attribute
- Backward compatible: falls back to NameID for existing customers
- SAML config supports federation metadata XML upload (auto-populates IdP fields)
Backward Compatibility
- All existing provider enum values kept (no migration)
- All existing validators kept
- Existing configs without new fields → fallback to current behavior
- No customer intervention required on upgrade
Design Document
Full design requirements (screens, flows, field reference, schema details): SSO_REWORK_DESIGN_REQUIREMENTS.md
Summary
Rework the SSO configuration to simplify from 8 provider-specific options to 3 protocol-based choices (OIDC / SAML / LDAP), add a Test Login flow for claim verification, and prevent user lockouts caused by incorrect claim mapping.
Problem
jwtPrincipalClaimsfallback list silently picks the wrong claim → user lockouts with no clear errorProposed Changes
UI Simplification
Test Login (Core Feature)
Schema Changes
discoveryUrito top-levelauthenticationConfiguration— single source of truth for both public and confidential flows. Authority, publicKeyUrls auto-derived from it.emailClaim— set via Test Login, overrides legacyjwtPrincipalClaimsfallbackjwtPrincipalClaimsMapping(existing, highest) →emailClaim(new) →jwtPrincipalClaims(legacy fallback)emailClaimorjwtPrincipalClaimsMapping) missing claim → hard fail with clear error. Legacy fallback → soft matching (existing behavior, zero regression)SAML Email Contract
email(case-insensitive)Backward Compatibility
Design Document
Full design requirements (screens, flows, field reference, schema details):
SSO_REWORK_DESIGN_REQUIREMENTS.md