Book a demo

OpenID Connect Protocol

Editing your IAM configuration

With the exception of the IAM ID (also called the display name), any of these settings can be changed after an IAM is configured. To edit IAM settings, click the dropdown arrow next to the IAM listed in the identity management section on the app settings page and then make your changes.

  1. Navigate to the Immuta App Settings page.

  2. Scroll to the Identity Management section and click Add IAM.

  3. Complete the Display Name field and select OpenID from the Identity Provider Type dropdown.

  4. Take note of the ID and copy the SSO Callback URL to use as the ACS URL in your identity provider.

  5. Adjust Default Permissions granted to users by selecting from the list in this dropdown menu.

  6. Enter the Client ID and Client Secret from your identity provider.

  7. Enter the URL of your identity provider's discovery endpoint in the Discover URL field. If you do not provide this URL, you will have to complete the manual endpoint specification fields (authorization endpoint, issuer, token endpoint, etc.).

  8. Opt to add additional Scopes.

  9. Opt to Enable SCIM support for OpenID by clicking the checkbox, which will generate a SCIM API Key. Validate that the usernames in your IAM match those in your data platform (Snowflake, Databricks, etc.). If they are incorrect in the IAM or the casing doesn't match, fix the data platform username in the identity provider before configuring SCIM in Immuta.

  10. In the Profile Schema section, map attributes in OpenID to automatically fill in a user's Immuta profile. Note: Fields that you specify in this schema will not be editable by users within Immuta.

    If usernames in your data platform align with usernames in an external IAM and those accounts align with an IAM attribute, enter the IAM attribute in the field that corresponds to your data platform:

    1. User's Databricks Username

    2. User's Snowflake Username

    3. User's Trino Username

    4. User's Azure Synapse Analytics Username

    5. User's Redshift Username

    6. User's AWS User. After entering the IAM attribute in the User's AWS User field, click the Select AWS User Type from the dropdown and select one of the types below. This is used by the Amazon S3 Integration to map users in Immuta to the corresponding user type in AWS.

      • None (fallback to Immuta username): When selecting this option, the AWS username is assumed to be the same as the Immuta username.

      • AWS IAM role: Only a single Immuta user can be mapped to an IAM role. This restriction prohibits enforcing policies on AWS users who could assume that role. Therefore, if using role principals, create a new user in Immuta that represents the role so that the role then has the permissions applied specifically to it.

      • AWS IAM user

      • AWS Identity Center user IDs: You must use the numeric User ID value found in AWS IAM Identity Center, not the user's email address.

    7. User's PostgreSQL Username

  11. Opt to Allow Identity Provider Initiated Single Sign On to use the IDP-Initiated SSO feature by selecting the checkbox.

  12. Opt to Migrate Users from another IAM by selecting the checkbox.

  13. Click Test Connection and Test User Login.

  14. Save your configuration.

PreviousOpenID ConnectNextOkta and OpenID Connect

Last updated

Was this helpful?