Configuration of erwin Web Portal support an external SSO environment requires working with your System Administrator. In this mode, the system default login page is disabled and not presented. It must be replaced by an external authentication login system.
Administrators can always login even in External Authentication Mode using the dedicated administrator rescue login URL: http://localhost:<port>/MM/Auth?nativeLogin,
The OAuth specification defines a delegation protocol that is useful for conveying authorization decisions across a network of web-enabled applications and APIs. OAuth is used in a wide variety of applications, including providing mechanisms for user authentication.
MIMM supports the OAuth 2.0 protocol for external authentication.
1. Sign in to erwin Metadata Management (EMM) as a user with at least the User Admin security role.
2. Go to either:
- Metadata explorer UI: the MANAGE > Users in the banner.
- Metadata manager UI: Go to Tools > Administration > Users.
3. Select OAuth External Authentication from the pull-down.
4. Click Configure the OAuth Server.
Configure the OAuth Server
In order to enable an external authentication server using the OAuth 2.0 protocol, the Administrator needs to configure the OAUTH server. The following example shows the Configure OAUTH Server editor parameters using the Google server.
The user needs to obtain OAuth 2.0 client credentials, such as Client Id, Client Secret from the external authentication server, such as Google and Facebook.
Besides the Client Id and Client Secret, the OAUTH Server configuration also requires the external authentication server Authentication URI, token URI and a few other parameters:
o Authentication URI: a URI on the external authentication server that handles the user authentication. The result is an authorization code, which the application can exchange for an access token and a refresh token.
o Token URI: a URI on the external authentication server that exchanges the authentication code for an access token.
o Validation URI: a URI on the external authentication server that validates the access token and provides access to the user’s account
o Scope: One or more scope values indicating which parts of the user’s account an access token permits.
o Request Headers: extra parameters to be added in the HTTP requests to the external authentication server
User Attribute Mapping
The User Attribute Mapping specifies a mapping from the external user account attributes to MIMM user attributes (login, full name, email, etc.).