Hi team, I'm using a deploy with OIDC authentication and it's working ok, but I have a doubt. How do I associate OIDC token groups with profiles on Datahub? For example, an OIDC group called admins_users is Datahub admins.

We support ingesting group information at SSO authentication time from your Identity Provider. So each user who is in admins_user should be in that group inside DataHub as well. However, this requires that your Identity Provider is sending the group names in an OIDC claim. By default we assume that claim is called "groups"

good, for authenticating and automatically provisioning groups and users worked. But I couldn't understand how I create groups with policies. I set it up like this. - name: AUTH_OIDC_USER_NAME_CLAIM value: "email" - name: AUTH_OIDC_EXTRACT_GROUPS_ENABLED value: "true" - name: AUTH_OIDC_GROUPS_CLAIM value: "groups" - name: AUTH_OIDC_JIT_PROVISIONING_ENABLED value: "true" - name: AUTH_OIDC_PRE_PROVISIONING_REQUIRED value: "false" - name: AUTH_OIDC_USER_NAME_CLAIM_REGEX value: ([^@]+)

@chilly-analyst-561 Can you elaborate? What do you mean groups with policies?

Shure, The token I get from Keycloak is this: .... "scope": "openid profile email", "email_verified": false, "groups": [ "6d306979-7681-47b7-9a81-acb6b11521c4:superset_admin", "datahub" ], "name": "Maicon dos Santos Siqueira", "preferred_username": "maicon.siqueira@....", "email": "maicon.siqueira@semantix.com.br" } I would like to only associate the datahub group from token to a particular policy. Example: A policy that gives admin access to the platform. Because I have numerous user profiles and identify them by token. And each of these profiles must have specific access on Datahub.

Right - you'd have to create a policy on DataHub (see the Policies Guide) and assign the "datahub" group to it once it has been ingested into DataHub. Today, we have no way to auto-create policies for groups. How would you imagine this to work?

To registry my solution: I applied this solution over helm chart.

extraEnvs:

- name: AUTH_OIDC_ENABLED

value: "true"

- name: AUTH_OIDC_CLIENT_ID

value: "dcatalog-client"

- name: AUTH_OIDC_CLIENT_SECRET

value: "xxxxxxx-xxxxxxx-xxxxxxx-xxxxxx"

- name: AUTH_OIDC_DISCOVERY_URI

value: "<https://auth.keycloak.net/auth/realms/MyRealm/.well-known/openid-configuration>"

- name: AUTH_OIDC_BASE_URL

value: "<https://dcatalog-client.mydomain.net>"

- name: AUTH_OIDC_SCOPE

value: "openid profile email"

- name: AUTH_OIDC_USER_NAME_CLAIM

value: "email"

- name: AUTH_OIDC_EXTRACT_GROUPS_ENABLED

value: "true"

- name: AUTH_OIDC_GROUPS_CLAIM

value: "dcatalog-claim"

- name: AUTH_OIDC_JIT_PROVISIONING_ENABLED

value: "true"

- name: AUTH_OIDC_PRE_PROVISIONING_REQUIRED

value: "false"

- name: AUTH_OIDC_USER_NAME_CLAIM_REGEX

value: ([^@]+)

This is incredible @chilly-analyst-561! Thank you. We have guides for Azure, Okta, and Google, but none yet for Keycloak. It'd be incredible to get it into a formal guide that can appear on datahubproject.io!

I've also connected datahub and keycloak for identity and group-management, and this thread helped a lot, thx! I wrote a blog post about it: https://www.syscrest.com/2022/11/datahub-oidc-identity-group-managment-with-keycloak/

Once the group is in DataHub, you can assign privileges to the "datahub" group via Settings > Permissions > Policies tab. Simply add the Group in the final screen in the policy builder. This is pretty normal way to control the privileges for individual groups.