When the Trifacta® platform is deployed on Azure, it can be configured to provide single sign-on (SSO) with Azure AD (Active Directory) authentication management. Use this section to enable auto-logins for Azure users.
- If auto-provisioning is not desired, after completing the basic configuration, you can disable auto-provisioning using the steps listed in the Advanced Configuration section.
- Single Sign-On (SSO) authentication enables users to authenticate one time to access multiple systems. The SSO platform must translate its authentication into authentication methods executed against each system under SSO control. For more information, see https://en.wikipedia.org/wiki/Single_sign-on.
- When enabled, SSO also applies to the Wrangler Enterprise desktop application, if it is installed.
Supported authentication models:
Users can authenticate with the Trifacta platform using Azure AD accounts in the following scenarios:
- Azure AD is the identity provider,
- Azure AD is federated through a trust setup with a supported external identity provider,
- Azure AD is federated with on-premises Active Directory and Active Directory Federation Services (ADFS).
Azure Data Lake Store: Users can obtain OAuth access and refresh tokens from AzureAD and use the tokens to access ADLS.
Domain-Joined Clusters: Using Azure AD, the Trifacta platform can be deployed to a domain-joined HDInsight cluster and can run jobs as the authenticated AD user via secure Hadoop impersonation. For more information, see Configure for HDInsight.
- You have installed the Trifacta platform on Microsoft Azure. See Install from Azure Marketplace.
- You have performed the basic configuration for Azure integration. See Configure for Azure.
- Your enterprise uses Azure SSO for User Identity and Authentication.
- The Trifacta platform must be registered as a Service Provider in your Azure AD tenant.
- Please acquire the following Service Provider properties:
The Service Provider Application ID (Client ID) and Key (Secret) are used for user authentication to the Azure Key Vault, Azure AD, and Azure Data Lake Store (if connected). These properties are specified in the Trifacta platform as part of the basic Azure configuration.
NOTE: The Trifacta platform must be assigned the Reader role for the Azure Key Vault. Other permissions are also required. See the Azure Key Vault Permissions section below.
- The Service Provider Reply URL provides the redirect URL after the user has authenticated with Azure AD.
- The Service Provider should be granted Delegated permissions to the Windows Azure Service Management API so it can access Azure Service Management as organization users.
- When Azure SSO is enabled, use of the command line interface (CLI) and the publicly available REST APIs is not supported.
- Scheduled jobs are run under the access keys for the user who initially created the schedule. They continue to run as scheduled until those keys are explicitly revoked by an admin.
NOTE: With SSO enabled, admin users must verify that the dictionaries directory is accessible to all Trifacta users. This directory is specified in
hdfs.pathsConfig.dictionaries in platform configuration.
Configure Azure AD for Trifacta platform
Please verify or perform the following configurations through Azure.
Azure Key Vault Permissions
For the Azure Key Vault:
- The Trifacta application must be assigned the Reader permission to the key vault.
- For the Key Vault Secrets, the application must be assigned the Set, Get, and Delete permissions.
Configure Trifacta platform for Azure AD
Azure AD Properties
Please configure the following properties.
Set this value to
|Set this value to the redirect URL callback configured for this Azure AD application in the Azure portal.|
Set this value to
Tip: After SSO is enabled, the first AD user to connect to the platform is automatically registered as an admin user.
Auto-registration must be enabled for the Trifacta platform and for Azure AD SSO specifically.
|This property has no effect in Azure.|
|Set this value to |
How users are managed depends on whether auto-registration is enabled:
- If auto-registration is enabled, after users provide their credentials, the account is automatically created for them.
- If auto-registration is disabled, a Trifacta administrator must still provision a user account before it is available. See below.
After SSO with auto-registration has been enabled, you can still manage users through the Admin Settings page, with the following provisions:
- The Trifacta platform does not recheck for attribute values on each login. If attribute values change in LDAP, they must be updated in the User Management page, or the user must be deleted and recreated through auto-provisioning.
- If the user has been removed from AD, the user cannot sign in to the platform.
- If you need to remove a user from the platform, you should consider just disabling the user through the User Management area.
For more information, see Manage Users.
To disable auto-provisioning in the platform, please verify the following property:
- You can apply this change through the Admin Settings Page (recommended) or
trifacta-conf.json. For more information, see Platform Configuration Methods.
Set the following property:
- Save your changes and restart the platform.
- New users of the Trifacta platform must be provisioned by a Trifacta administrator. See below.
Provision new users under SSO without auto-registration
If SSO auto-registration is disabled, admin users can provision new users of the platform through the following URL:
The user's password is unnecessary in an SSO environment. You must provide the SSO principal value, which is typically the Active Directory login for the user.
- If you are connected to a Hadoop cluster, you must provision the Hadoop principal value.
- See Create User Account.
- Admin accounts can be created through the application. See Create Admin Account.
Users acess the application through the Trifacta login page:
This page has no comments.