This procedure describes how to integrate AtScale with Azure Active Directory (AD) with the assumption that you have Azure AD & Active Directory services already configured.
There are a few options for this integration. Customers with Azure Active Directory Domain services or Azure AD + on Prem AD with AD Sync enabled are required.
First, let's start on the AtScale side.
- self-sign certificate (or get a certificate from a certificate authority)
- Get the User Unique ID Attribute from the Directory setting
The next step is to configure the application in the Azure portal.
Log in to the Azure portal and go to Azure AD.
Go to Enterprise Applications and click on New Application and then click on Create your own application.
Input the application name and you can use either Register an application to integrate with Azure AD or Integrate any other application you don't find in the gallery (non-gallery).
Once the application is created, assign a user/group who can access the application and then set up the single sign-on (SSO).
Edit the Basic SAML Configuration
Entity ID: https://<Hostname>:10500/org/default
The Reply URL: https://<Hostname>:10500/org/default/SAML2/AssertionConsumerService/POST
Sign on URL: https://<Hostname>:10500/org/default
Logout URL: https://<Hostname>:10500/org/default/SAML2/RequestSLO/POST
User Attributes & Claims
Depending on the AD sync configuration, you could use user.sAMAccountName or user.userprincipalname.
Note: the author's configuration for AD and Azure AD is a little different, so he has to parse the userprincipal to get the sAMAccountName.
What you need to capture from this screen is: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
That link needs to be added to the AtScale SAML entry.
Once you complete that, then download the SAML Signing Certificate.
Download the Federation Metadata and certificate Base 64.
AtScale SAML entry
Name your IDP (any name will do).
Attribute Mapping: this is the name that you capture ahead of time in the AD integration screen i.e. http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Next is to upload your IDP Federation XML.
Finally, upload your self-signed certificate and key.
As an option, you can choose to browse and upload the signing certificate from IDP.
Verify your Metadata by downloading the AtScale Metadata and uploading that into your IDP.
Then Enable SAML login and click Update.
Verify the Integration
AtScale UI
If you have 2-factor authentication (MFA enabled in your account):
PowerBI
Excel
Adding Warehouse with Impersonation
If you are logged in as Admin, you won't have access to see the database in AzureSQL due to the impersonation layer.
However, if you are logged in as an authorized user you will see the following: