When the is deployed on Azure, it can be configured to provide single sign-on (SSO) with Azure AD (Active Directory) authentication management. Use this section to enable auto-logins for Azure users.
Supported authentication models:
Users can authenticate with the using Azure AD accounts in the following scenarios:
Azure Data Lake Store: Users can obtain OAuth access and refresh tokens from AzureAD and use the tokens to access.
Domain-Joined Clusters: Using Azure AD, the can be deployed to a domain-joined HDInsight cluster and can run jobs as the authenticated AD user via secure impersonation. For more information, see Configure for HDInsight.
Azure Databricks Clusters: If you have integrated with an Azure Databricks cluster, please complete this configuration to enable SSO authentication for Azure. No additional configuration is required to enable SSO for Azure Databricks.
The Service Provider Application ID (Client ID) and Key (Secret) are used for user authentication to the Azure Key Vault, Azure AD, and Azure Data Lake Store (if connected). These properties are specified in the as part of the basic Azure configuration.
NOTE: The must be assigned the Reader role for the Azure Key Vault. Other permissions are also required. See the Azure Key Vault Permissions section below.
Scheduled jobs are run under the access keys for the user who initially created the schedule. They continue to run as scheduled until those keys are explicitly revoked by an admin.
NOTE: With Azure SSO enabled, use of custom dictionaries is not supported.
Please verify or perform the following configurations through Azure.
For the Azure Key Vault:
Please configure the following properties.
Set this value to
Set this value to the redirect URL callback configured for this Azure AD application in the Azure portal. The URL is in the following format:
Set this value to
This value defines the Azure AD resource for which to obtain an access token.
When using Azure Data Lake:
By default, the uses the public Azure AD endpoint for brokering single sign-on requests. As needed, you can configure the platform to submit these requests to a different authority., such as Azure Gov Cloud.
|azure.AADEndpoint||Azure Active Directory endpoint and authority.|
By default under SSO, manual logout and session expiration logout redirect to different pages. Manual logout directs you to SAML sign out, and session expiry produces a session expired page.
If desired, you can redirect the user to a different URL on session expiry:
Specify the URL of the page to which you wish to redirect users after a session has timed out:
Tip: After SSO is enabled, the first AD user to connect to the platform is automatically registered as an admin user.
Auto-registration must be enabled for the and for Azure AD SSO specifically.
|This property has no effect in Azure.|
|Set this value to |
How users are managed depends on whether auto-registration is enabled:
After SSO with auto-registration has been enabled, you can still manage users through the Admin Settings page, with the following provisions:
For more information, see Manage Users.
To disable auto-provisioning in the platform, please verify the following property:
Set the following property:
"webapp.sso.enableAutoRegistration" : false,
If SSO auto-registration is disabled, admin users can provision new users of the platform through the following URL:
The user's password is unnecessary in an SSO environment. You must provide the SSO principal value, which is typically the Active Directory login for the user.
If a user has been disabled in Azure AD, a must disable the user in the . Otherwise, the user can still access the until the user's access token expires.
For more information on disabling user accounts, see Manage Users.
Users access the application through the :
For more information, see Enable SSO for Azure Relational Connections.