Слияние кода завершено, страница обновится автоматически
| title | description | redirect_from | |
|---|---|---|---|
JWT-based authentication |
How to set up JWT-based authentication in Metabase to connect with your identity provider and manage user access. |
|
{% include plans-blockquote.html feature="JWT-based authentication" %}
You can connect Metabase to your identity provider using JSON Web Tokens (JWT) to authenticate people.
Assuming your site is localhost serving on port 3000:
http://localhost:3000/question/1-superb-question.http://localhost:3000/auth/sso./question/1-superb-question URI, Metabase redirects the person to the SSO provider (the authentication app).http://localhost:3000/auth/sso?jwt=TOKEN_GOES_HERE&return_to=/question/1-superb-question./question/1-superb-question.Navigate to the Admin>Settings section of the Admin area, then click on the Authentication tab. Click the Configure button in the JWT section of this page, and you'll see this form:
Here's a breakdown of each of the settings:
JWT Identity Provider URI: This is where Metabase will redirect login requests. That is, it's where your users go to log in through your identity provider.
String Used by the JWT Signing Key: The string used to seed the private key used to validate JWT messages. Both Metabase and the authentication app should have the same JWT signing key.
These are additional settings you can fill in to pass user attributes to Metabase.
You can send additional user attributes to Metabase by adding the attributes as key/value pairs to your JWT. These attributes will be synced on every login.
You can use your JWT to assign Metabase users to custom groups.
groups: ["group_name"].
Alternatively, you can define the mappings between JWT and Metabase groups using the environment variable MB_JWT_GROUP_MAPPINGS. It accepts a JSON object where the keys are JWT groups and the values are lists of Metabase groups IDs. For example:
MB_JWT_GROUP_MAPPINGS='{"extHR":[7], "extSales":[3,4]}'
where extHR, extSales are names of JWT groups and 3,4,7 are IDs of Metabase groups.
You can find Metabase Group ID in the URL for the group page, like http://your-metabase-url/admin/people/groups/<ID>. "All Users" group has ID 1 and "Administrators" group has ID 2.
You can also use the environment variable MB_JWT_GROUP_SYNC to turn group sync on or off.
MB_JWT_GROUP_SYNC=true
Paid plans charge for each additional account.
A new SSO login will automatically create a new Metabase account.
Metabase accounts created with an external identity provider login don't have passwords. People who sign up for Metabase using an IdP must continue to use the IdP to log into Metabase.
Avoid locking yourself out of your Metabase! This setting will apply to all Metabase accounts, including your Metabase admin account. We recommend that you keep password authentication enabled. This will safeguard you from getting locked out of Metabase in case of any problems with SSO.
To require people to log in with SSO, disable password authentication from Admin settings > Authentication.
If you're using Azure, you may need to use Azure AD B2C. Check out their tokens overview.
You can find example code that uses JWT authentication in the SSO examples repository.
Вы можете оставить комментарий после Вход в систему
Неприемлемый контент может быть отображен здесь и не будет показан на странице. Вы можете проверить и изменить его с помощью соответствующей функции редактирования.
Если вы подтверждаете, что содержание не содержит непристойной лексики/перенаправления на рекламу/насилия/вульгарной порнографии/нарушений/пиратства/ложного/незначительного или незаконного контента, связанного с национальными законами и предписаниями, вы можете нажать «Отправить» для подачи апелляции, и мы обработаем ее как можно скорее.
Опубликовать ( 0 )