Skip to content

feat(sso): Test Login admin flow across Custom OIDC, SAML, LDAP #28034

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
siddhant1 wants to merge 53 commits into
base: main
Choose a base branch
from
Open

feat(sso): Test Login admin flow across Custom OIDC, SAML, LDAP #28034

Show file tree
Hide file tree
Changes from 52 commits
Commits
Show all changes
53 commits
Select commit Hold shift + click to select a range
9253bd3
feat: SSO rework — add Test Login, emailClaim, discoveryUri, and prot…
aji-aju Apr 14, 2026
2062a6d
fix: exclude test-login/initiate from JwtFilter and hide authorizer f…
aji-aju Apr 14, 2026
af4c502
fix: hide emailClaim, discoveryUri, adminPrincipals fields and add pr…
aji-aju Apr 14, 2026
e1ca300
fix: rewrite Test Login endpoints to return Response instead of void
aji-aju Apr 14, 2026
8efb16b
fix: hide OIDC prompt field in all provider UI schemas
aji-aju Apr 14, 2026
a01bd65
fix: move Test Login endpoints from SystemResource to ConfigResource
aji-aju Apr 14, 2026
409f565
fix: make TestLoginHandler self-contained — build OIDC client from fo…
aji-aju Apr 14, 2026
62166c0
fix: use OIDCProviderMetadata.parse() instead of resolve() for discov…
aji-aju Apr 14, 2026
4ef7ad0
fix: use registered callback URL for Test Login to avoid redirect_uri…
aji-aju Apr 14, 2026
de890c5
fix: stale formData on first Test Login click + disable Save until em…
aji-aju Apr 14, 2026
4501b0c
feat: add OIDC provider dropdown (Google, Azure, Okta, Auth0, Cognito…
aji-aju Apr 14, 2026
58b396b
fix: validate Discovery URI placeholders and auto-sync before validation
aji-aju Apr 14, 2026
7724cfb
feat: prompt in advanced, discovery URI defaults, validation before T…
aji-aju Apr 14, 2026
5818ba7
fix: pass skipTestLoginFields to validateAuthorizerConfiguration
aji-aju Apr 14, 2026
9ec1422
feat: add offline_access to default scope, hide scope/prompt/okta aut…
aji-aju Apr 14, 2026
f6eae0d
fix: remove @Valid from validate endpoint to prevent LDAP/SAML field …
aji-aju Apr 14, 2026
9687c31
fix: update all hardcoded scope defaults to include offline_access
aji-aju Apr 14, 2026
c3cd98c
fix: use localStorage for popup communication, restore scope/prompt/a…
aji-aju Apr 14, 2026
054c608
fix: show top-level discoveryUri, hide nested oidcConfiguration.disco…
aji-aju Apr 14, 2026
b8a38af
fix: write discoveryUri to top-level field, prioritize top-level in T…
aji-aju Apr 14, 2026
e39c744
feat: pass all OIDC params through Test Login + revert offline_access…
aji-aju Apr 14, 2026
4564d75
feat: SSO confidential — Validate → Test Login → Save gate + backend …
aji-aju Apr 15, 2026
99f58bf
fix: match admin principals by email in addition to username
aji-aju Apr 15, 2026
596c725
feat: SAML Test Login + OIDC validator refinement
aji-aju Apr 15, 2026
15f3351
fix: audit fixes — PKCE, nonce, SAML session, normalize hardening
aji-aju Apr 16, 2026
ec6d5d0
fix: OIDC Test Login — POST form body + 302 redirect
aji-aju Apr 16, 2026
ef24742
feat: LDAP Test Login + unit test coverage for all three protocols
aji-aju Apr 21, 2026
ad98b29
chore: apply mvn spotless:apply to unblock Java checkstyle
aji-aju Apr 24, 2026
4d1f848
fix
Apr 28, 2026
a2dc814
chore(sso-ui): swap SSO form chrome to Untitled UI primitives
Apr 29, 2026
9cebb7b
chore(sso-ui): drop PR #27336 frontend changes; keep only backend
Apr 29, 2026
847b500
chore(sso-ui): integrate Test Login + align fields with proposal
Apr 29, 2026
2ba121e
fix(saml): ignore configured emailClaim at login
aji-aju Apr 29, 2026
4bca2a0
chore(i18n): sync SSO Test Login keys across locales after rebase
Apr 29, 2026
1a96232
feat(sso-ui): lockout-safe save + email-claim status surface
Apr 30, 2026
3e4ed9a
fix(sso-ui): track Test Login freshness as a flag, not a JSON snapshot
May 4, 2026
f32fecb
fix(sso-ui): fail Test Login fast when the popup is closed
May 4, 2026
c999bb5
style(sso-ui): apply #F8F9FC panel chrome to main fields and advanced…
May 4, 2026
8602e29
fix
May 4, 2026
cf91fcb
feat(sso): existing-mode Test Login via shared deep-merge overlay
aji-aju May 5, 2026
000e527
Merge remote-tracking branch 'origin/main' into sid/sso-layout
May 5, 2026
52eb4c9
change
May 6, 2026
573294c
fix(sso): pass mode=existing to Test Login + canonical Public OIDC sa…
May 6, 2026
c80670d
test(sso): drop obsolete Public OIDC oidcConfiguration tests
May 6, 2026
0b76195
Merge branch 'sid/sso-layout' of https://github.com/open-metadata/Ope…
May 6, 2026
268a60d
feat(sso): trim SAML form main section to IdP-only fields
May 6, 2026
c446ece
feat(sso): trim LDAP form main section to bind-only fields
May 6, 2026
48cfb36
test(sso): cover Test Login E2E across Custom OIDC, LDAP, SAML
May 11, 2026
71f6e7d
refactor(sso-ui): tighten types, extract popup lifecycle, isolate sav…
May 11, 2026
e15348e
Merge branch 'main' into sid/sso-layout
siddhant1 May 11, 2026
7c6dbbb
Update generated TypeScript types
github-actions[bot] May 11, 2026
f18ae96
style(sso-ui): apply prettier + organize-imports on SSO test files
May 11, 2026
10c5186
Merge branch 'main' into sid/sso-layout
siddhant1 May 11, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 17 additions & 4 deletions docker/development/.env.sso-test
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,8 @@
# Configures OM server to use mock OIDC provider for E2E testing.
#
# Usage:
# 1. Start mock OIDC provider first:
# docker compose --profile sso-test up -d mock-oidc-provider
# 1. Start SSO test fixtures (mock OIDC + OpenLDAP):
# docker compose --profile sso-test up -d
#
# 2. Start (or restart) OM server with this env file:
# docker compose --env-file .env.sso-test up -d
Expand All @@ -12,8 +12,21 @@
# cd openmetadata-ui/src/main/resources/ui
# npx playwright test --config=playwright.sso.config.ts
#
# NOTE: Server-side URLs use Docker hostname (mock-oidc-provider:9090).
# Client-side URLs (authority, callback) use localhost:9090.
# NOTE: Server-side URLs use Docker hostname (mock-oidc-provider:9090,
# openldap-test:1389). Client-side URLs (authority, callback)
# use localhost:9090.
#
# LDAP fixture (consumed by SSOTestLogin-LDAP.spec.ts via the SSO API,
# not by the OM server's auth provider — these vars are documentation):
# LDAP host (server-side): openldap-test
# LDAP host (host network): localhost
# LDAP port: 1389
# admin DN: cn=admin,dc=test,dc=local
# admin password: admin-pass
# user base DN: ou=people,dc=test,dc=local
# mail attribute: mail
# seed user (with mail): cn=alice,ou=people,dc=test,dc=local / alice-pass / mail=alice@company.com
# seed user (no mail): cn=bob,ou=people,dc=test,dc=local / bob-pass

# Authentication provider — custom-oidc uses OidcAuthenticator
AUTHENTICATION_PROVIDER=custom-oidc
Expand Down
28 changes: 28 additions & 0 deletions docker/development/docker-compose.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -598,6 +598,34 @@ services:
profiles:
- sso-test

openldap-test:
build:
context: ./openldap-seed
dockerfile: Dockerfile
container_name: openldap_test
environment:
LDAP_ORGANISATION: OpenMetadata Test
LDAP_DOMAIN: test.local
LDAP_BASE_DN: dc=test,dc=local
LDAP_ADMIN_PASSWORD: admin-pass
LDAP_TLS: "false"
expose:
- 389
ports:
- "1389:389"
networks:
- local_app_net
healthcheck:
test:
- "CMD-SHELL"
- "ldapsearch -x -H ldap://localhost:389 -D 'cn=admin,dc=test,dc=local' -w admin-pass -b 'ou=people,dc=test,dc=local' '(cn=alice)' cn >/dev/null 2>&1"
interval: 10s
timeout: 5s
retries: 10
start_period: 30s
profiles:
- sso-test

networks:
local_app_net:
name: ometa_network
Expand Down
3 changes: 3 additions & 0 deletions docker/development/mock-oidc-provider/server.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -118,6 +118,9 @@ const providerConfig = {
profile: ['name', 'preferred_username'],
},
scopes: ['openid', 'email', 'profile', 'offline_access'],
// Include all granted scope claims in the id_token so SSO Test Login (which
// reads claims from id_token only, not userinfo) can surface email/profile.
conformIdTokenClaims: false,
features: {
devInteractions: { enabled: false },
rpInitiatedLogout: { enabled: true },
Expand Down
29 changes: 29 additions & 0 deletions docker/development/openldap-seed/01-people.ldif
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
# People organizational unit + seed users for SSO Test Login E2E specs.
# Baked into the openldap-test image at build time (see Dockerfile).
# Mirrors the fixture used by openmetadata-service TestLdapHandlerTest so the
# E2E and unit-test bind shapes stay aligned.

dn: ou=people,dc=test,dc=local
objectClass: organizationalUnit
ou: people

dn: cn=alice,ou=people,dc=test,dc=local
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: alice
sn: Smith
givenName: Alice
mail: alice@company.com
userPassword: alice-pass

dn: cn=bob,ou=people,dc=test,dc=local
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: bob
sn: Jones
givenName: Bob
userPassword: bob-pass
4 changes: 4 additions & 0 deletions docker/development/openldap-seed/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
FROM osixia/openldap:1.5.0

COPY --chown=openldap:openldap 01-people.ldif \
/container/service/slapd/assets/config/bootstrap/ldif/custom/01-people.ldif
2 changes: 1 addition & 1 deletion docker/local-sso/keycloak-saml/realms/om-azure-saml-realm.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@
"editUsernameAllowed": false,
"clients": [
{
"clientId": "http://localhost:8585/api/v1/saml/metadata",
"clientId": "http://localhost:8585",
"name": "OpenMetadata",
"enabled": true,
"protocol": "saml",
Expand Down
Loading
Loading