The control of SELF_SIGNUP is not functioning correctly in OpenMetadata on Docker.

open-metadata / OpenMetadata

OpenMetadata is a unified metadata platform for data discovery, data observability, and data governance powered by a central metadata repository, in-depth column level lineage, and seamless team collaboration.

https://open-metadata.org

Apache License 2.0

5.43k stars 1.03k forks source link

The control of SELF_SIGNUP is not functioning correctly in OpenMetadata on Docker. #14709

Closed inoue-net closed 6 months ago

inoue-net commented 9 months ago

Affected module UI and backend?

Describe the bug It seems that even though you have set up SELF_SIGNUP, the expected behavior is not occurring. When a user authenticated through SAML is not found in OpenMetadata, the "Sign in with SAML SSO" button leads to the SIGNUP screen being displayed, despite having ENABLE_SELF_SIGNUP set to false.

To Reproduce

To verify, set SELF_SIGNUP to FALSE in OpenMetadata running on Docker.

【Environment Used】
・Openmetadata v1.2.4
・OpenMetadata in Docker

【ENV File Configuration】
AUTHENTICATION_PROVIDER="saml"
AUTHENTICATION_ENABLE_SELF_SIGNUP=false #Disabling SIGNUP

Expected behavior If SELF_SIGNUP is set to false, the SIGNUP screen should not be displayed.

Version:

OS: Linux(Docker)
OpenMetadata version: 1.2.4

chirag-madlani commented 8 months ago

Hi @inoue-net Not sure if I understand your issue here. AUTHENTICATION_ENABLE_SELF_SIGNUP=false will allow or disallow option to create a new user for application "Sign in with SAML SSO" button is to allow existing user to login to application. Are you expecting to block singin process for AUTHENTICATION_ENABLE_SELF_SIGNUP=false?

harshach commented 7 months ago

@inoue-net don't have sufficient details on what to do here. Please provide on what your expectation of this config is and whats not working for you.

muru commented 6 months ago

@chirag-madlani @harshach I can't speak for the OP but I think I have a similar problem. To provide some context:

OpenMetaData v1.3.2 deployed on AWS ECS
Authentication provider is JumpCloud

When authentication is set to LDAP via JumpCloud, users can sign in easily even if accounts didn't exist for them in OMD. And this sign-in prompt isn't seen. When authentication is set to SAML, also via JumpCloud, two changes happen:

Users who don't already exist can't sign in
Users who did exist in the past but were since deleted sometimes see the sign-up screen

Ideally, I'd think (1) shouldn't happen and that accounts are created automatically just like it happens for LDAP, and for (2), admins should have the option to disable that sign-up form and just head straight to completion of account creation with whatever information is provided by the IDP. I think this is also the case in https://github.com/open-metadata/OpenMetadata/issues/15755

harshach commented 6 months ago

@chirag-madlani can you take a look above ^

Sachin-chaurasiya commented 6 months ago

Hello @inoue-net , enable self-singup applies for basic authentication only and you should be able to restrict the application access for groups of users directly from SSO side.

REF : https://openmetadata.slack.com/archives/C02B6955S4S/p1713811660506009?thread_ts=1713811180.060049&cid=C02B6955S4S