When the is deployed on Azure, it can be configured to provide single sign-on (SSO) with Azure AD (Active Directory) authentication management. Use this section to enable auto-logins for Azure users.
Supported authentication models:
Users can authenticate with the using Azure AD accounts in the following scenarios:
Azure Data Lake Store: Users can obtain OAuth access and refresh tokens from AzureAD and use the tokens to access ADLS.
Domain-Joined Clusters: Using Azure AD, the can be deployed to a domain-joined HDInsight cluster and can run jobs as the authenticated AD user via secure Hadoop impersonation. For more information, see Configure for HDInsight.
The Service Provider Application ID (Client ID) and Key (Secret) are used for user authentication to the Azure Key Vault, Azure AD, and Azure Data Lake Store (if connected). These properties are specified in the as part of the basic Azure configuration.
NOTE: The must be assigned the Reader role for the Azure Key Vault. Other permissions are also required. See the Azure Key Vault Permissions section below.
NOTE: With Azure SSO enabled, use of custom dictionaries is not supported.
Please verify or perform the following configurations through Azure.
For the Azure Key Vault:
Please configure the following properties.
Set this value to
Set this value to the redirect URL callback configured for this Azure AD application in the Azure portal. The URL is in the following format:
Set this value to
This value defines the Azure AD resource for which to obtain an access token.
This default value requires that the application be granted access to the Azure Data Lake API permissions, which is expected in the default Azure deployment.
Tip: After SSO is enabled, the first AD user to connect to the platform is automatically registered as an admin user.
Auto-registration must be enabled for the and for Azure AD SSO specifically.
|This property has no effect in Azure.|
|Set this value to |
How users are managed depends on whether auto-registration is enabled:
After SSO with auto-registration has been enabled, you can still manage users through the Admin Settings page, with the following provisions:
For more information, see Manage Users.
To disable auto-provisioning in the platform, please verify the following property:
Set the following property:
"webapp.sso.enableAutoRegistration" : false,
If SSO auto-registration is disabled, admin users can provision new users of the platform through the following URL:
The user's password is unnecessary in an SSO environment. You must provide the SSO principal value, which is typically the Active Directory login for the user.
If a user has been disabled in Azure AD, a must disable the user in the . Otherwise, the user can still access the .
For more information on disabling user accounts, see Manage Users.
Users acess the application through the :