Hey Amna, I was able to get Okta working with the open source version of Airflow, with some limitations.
Have a look at: https://flask-appbuilder.readthedocs.io/en/latest/security.html#authentication-oauth I implemented the okta oauth_provider as mentioned in the doc, with an addition that seemed to be necessary in our case. from airflow.www.security import AirflowSecurityManager SECURITY_MANAGER_CLASS = AirflowSecurityManager This got authentication working, but we face a similar issue to this <https://github.com/dpgaspar/Flask-AppBuilder/issues/1866> where groups aren't sent from Okta, so role mapping doesn't work. In our case, the instance is only used by a handful of groups so we make do with assigning everyone the same role but obviously will present issues in larger installs. Although I'm just noticing the code below the oauth setup in the doc to implement appbuilder.sm.oauth_user_info_getter.. I might give that a try to see if I can extract groups from okta. 🤔 Astronomer has built-in okta support, so if you need full support that is another route to go. Hope that helps! Natalie On Wed, Apr 17, 2024 at 9:20 AM Anjum, Amna <aan...@comerica.com> wrote: > Hello, > > > > Comerica bank is using airflow as an automation tool for scheduling job to > run at a specific time and we currently have airflow configured to use LDAP > for the login capabilities. > > > > A question came back regarding if Airflow can support Okta SSO – Single > Sign on or whether it’s a limitation with the tool? > > > > Currently throughout Comerica we are only using LDAP so I was wondering if > someone could share some insight on airflows SSO capabilities. > > > > Thank you. > > > > *Amna Anjum * > > Upcoming PTO: 4/25 (half day) > > Sr. Staff Engineer > > Data Engineering > > P: 248-371-4156 | C: 248-918-8358 | aan...@comerica.com > > [image: signature_1223607789] > > > > > Please be aware that if you reply directly to this particular message, > your reply may not be secure. Do not use email to send us communications > that contain unencrypted confidential information such as passwords, > account numbers or Social Security numbers. If you must provide this type > of information, please visit comerica.com to submit a secure form using > any of the ”Contact Us” forms. In addition, you should not send via email > any inquiry or request that may be time sensitive. The information in this > e-mail is confidential. It is intended for the individual or entity to whom > it is addressed. If you have received this email in error, please destroy > or delete the message and advise the sender of the error by return email. > > Please be aware that if you reply directly to this particular message, > your reply may not be secure. Do not use email to send us communications > that contain unencrypted confidential information such as passwords, > account numbers or Social Security numbers. If you must provide this type > of information, please visit comerica.com to submit a secure form using > any of the ”Contact Us” forms. In addition, you should not send via email > any inquiry or request that may be time sensitive. The information in this > e-mail is confidential. It is intended for the individual or entity to whom > it is addressed. If you have received this email in error, please destroy > or delete the message and advise the sender of the error by return email. >
