<@U06TM7M40RK> What is the redirect logout url for Azure AD integration?
For Azure AD integration with DataHub, the “Front-channel logout URL” should be set to https://your-datahub-domain.com/login
. This configuration ensures that after a user logs out, they are redirected to the DataHub login page. This setup is crucial for maintaining a seamless user experience and ensuring that the session is properly terminated.
According to the <https://datahubproject.io/docs/0.14.0/authentication/guides/sso/configure-oidc-react|DataHub OIDC Configuration Guide>, you should configure the logout URL in the Azure portal under the Authentication settings of your registered application.
Would you like more detailed steps on how to configure this in the Azure portal or any other related settings?
Sources:
- <https://datahubproject.io/docs/0.14.0/authentication/guides/sso/configure-oidc-react|DataHub OIDC Configuration Guide> 0 button 0 button Hint: Mention @runllm in the thread for followups.
<@U06TM7M40RK> but when the user clicks on Sign Out, he still logged.
The issue where a user remains logged in after clicking “Sign Out” is a known problem with OIDC integration in DataHub. This can occur due to several reasons, such as misconfiguration of the logout endpoints or session management settings.
Here are some steps to troubleshoot and resolve the issue:
-
Verify OIDC Configuration: Ensure that the
post_logout_redirect_uri
is correctly set in your Identity Provider (IdP) configuration. This URI should point to the DataHub login page, typicallyhttps://your-datahub-domain.com/login
. -
Check Logout Endpoint: Make sure that the logout endpoint is correctly configured in your DataHub setup. For Azure, the “Front-channel logout URL” should be set to
https://your-datahub-domain.com/login
. -
Session Store Configuration: Verify that the session store is correctly set up to handle state parameters. This is typically configured in the
application.conf
file of the DataHub frontend. -
Enable Verbose Logging: Enable verbose logging to get more detailed information about the issue. You can do this by setting the
AUTH_VERBOSE_LOGGING
environment variable totrue
. -
Inspect the CentralLogoutController: According to the https://github.com/datahub-project/datahub/blob/master/datahub-frontend/app/controllers/CentralLogoutController.java|CentralLogoutController.java, ensure that the logout logic is correctly implemented and that the
executeLogout
method is properly handling the session termination. -
Check for Known Issues: There are known issues related to logout with OIDC, as discussed in <Issues · datahub-project/datahub · GitHub Issue #8369>. It might be helpful to review this issue for any updates or workarounds.
Would you like more detailed steps on any of these points or further assistance with your configuration?
Sources:
- https://github.com/datahub-project/datahub/blob/master/datahub-frontend/app/controllers/CentralLogoutController.java|CentralLogoutController.java
- <Issues · datahub-project/datahub · GitHub Issue #8369> 0 button 0 button Hint: Mention @runllm in the thread for followups.
<@U06TM7M40RK> Where do I look if the session store is correctly set up to handle state parameters in application.conf file?
To verify if the session store is correctly set up to handle state parameters in the application.conf
file, you should look for the configuration related to the session store and cache settings. Here are the key areas to check:
-
Session Store Configuration: Ensure that the session store is configured to use
play.cache
. This is important for handling state parameters in the OIDC authentication flow. -
Cache Settings: Check that the cache settings are properly defined to support session management.
Here is an example configuration for the application.conf
file:
play {
cache {
defaultCache = "play"
bindCaches = ["session-cache"]
}
}
session {
store = "play.cache"
cookieName = "PLAY_SESSION"
secure = true
httpOnly = true
}
defaultCache
: This should be set to"play"
, indicating the default cache implementation.bindCaches
: This should include"session-cache"
, which binds the session cache to the application.session.store
: This should be set to"play.cache"
, indicating that the session data is stored in the cache.cookieName
: This specifies the name of the session cookie.secure
andhttpOnly
: These settings ensure that the session cookie is secure and not accessible via JavaScript.
These settings ensure that the session store is correctly configured to handle state parameters, which are crucial for maintaining session integrity during the OIDC authentication process.
Would you like more detailed steps on how to configure these settings or any other related information?
Sources:
- <Slack Thread on Okta Integration Issues> 0 button 0 button Hint: Mention @runllm in the thread for followups.
<@U06TM7M40RK> give me an example of helm configuration for frontend set up to handle state parameters
To configure the DataHub frontend using Helm to handle state parameters, you need to ensure that the session store and related settings are properly set up in your values.yaml
file. Below is an example configuration for the DataHub frontend using Helm:
datahub-frontend:
enabled: true
extraEnvs:
- name: AUTH_OIDC_ENABLED
value: "true"
- name: AUTH_OIDC_CLIENT_ID
value: "<your-client-id>"
- name: AUTH_OIDC_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: datahub-oidc-secret
key: client-secret
- name: AUTH_OIDC_DISCOVERY_URI
value: "https://<your-identity-provider>/.well-known/openid-configuration"
- name: AUTH_OIDC_BASE_URL
value: "https://<your-datahub-url>"
- name: AUTH_VERBOSE_LOGGING
value: "true"
- name: PLAY_SESSION_STORE
value: "play.cache"
- name: PLAY_SESSION_COOKIE_NAME
value: "PLAY_SESSION"
- name: PLAY_SESSION_SECURE
value: "true"
- name: PLAY_SESSION_HTTP_ONLY
value: "true"
resources:
limits:
cpu: 500m
memory: 1Gi
requests:
cpu: 250m
memory: 512Mi
Key Configuration Points:
AUTH_OIDC_ENABLED
: Enables OIDC authentication.AUTH_OIDC_CLIENT_ID
andAUTH_OIDC_CLIENT_SECRET
: Set these to your OIDC client credentials.AUTH_OIDC_DISCOVERY_URI
: The discovery URI for your OIDC provider.AUTH_OIDC_BASE_URL
: The base URL of your DataHub deployment.AUTH_VERBOSE_LOGGING
: Enables verbose logging for debugging purposes.PLAY_SESSION_STORE
: Configures the session store to useplay.cache
.PLAY_SESSION_COOKIE_NAME
: Sets the name of the session cookie.PLAY_SESSION_SECURE
andPLAY_SESSION_HTTP_ONLY
: Ensure the session cookie is secure and not accessible via JavaScript.
This configuration ensures that the DataHub frontend is set up to handle state parameters effectively, which is crucial for maintaining session integrity during the OIDC authentication process.
Would you like more detailed steps on any specific part of this configuration or further assistance?
Sources:
- <https://github.com/datahub-project/datahub/blob/master/docs/authentication/guides/sso/configure-oidc-react.md|DataHub OIDC Configuration Guide> 0 button 0 button Hint: Mention @runllm in the thread for followups.