Verifying SSO in DAI
After you perform the steps to enable SSO in your DAI installation, there are a few ways to verify the success of your implementation. Following are some scenarios you can walk through to verify that single sign-on (SSO) with DAI is working correctly.
- First Login
- Subsequent Login
- Link Accounts (optional)
- Logout
- View My Account Details
- Update Account Details
- Access DAI as an Admin
First Login
Verify you experience the following process the first time you log into DAI with SSO:
- Enter your DAI URL (for example, type the domain without the path
https://{dai_domain}
into a browser). - You should be redirected to Entra ID and prompted to log in (with your Entra ID credentials). You should be able to log in successfully. Note that you may be required to use multi-factor authentication instead of, or as well as, a username and password challenge.
- You are redirected back to DAI.
- You can access DAI. Any login failure is handled by Entra ID. Your first login will create a user in Keycloak that is linked to the user in Entra ID. You can confirm this in the Keycloak Admin Console, or you can follow the View My Account Details or Access DAI as an Admin workflows because these will get their data from the Keycloak User records.
Subsequent Login
Follow the exact process described in First Login, but with a user who has already logged into DAI at least once. SSO will be configured for this user and an account should exist in Keycloak from the first login. This time you are checking that another Keycloak user does not get created, either in Keycloak Admin Console or from the Manage Users page in DAI. If the claim mapping is not configured properly, then this might result in an error or result in duplicate accounts being created.
Link Accounts
If you are installing a new DAI system then you can skip this account-linking step.
Verify that if you log in as an Entra ID user that existed in Keycloak before you enabled SSO, you are prompted to link to an existing account. The process is as follows:
- Enter your DAI URL (for example, type the domain without a path
https://{dai_domain}
) into a browser. - You should be redirected and prompted to log into Entra ID.
- You should be able to login successfully. This flow requires you to log in as an Entra ID user with a username that already exists in Keycloak from before you enabled SSO.
- You are redirected back to a Keycloak screen where you are informed that an account already exists and given the option to link the accounts.
- If you select to link the accounts, then you are logged into DAI as that user. If the Keycloak user you linked to had been granted access to or owned specific models, then you should still be able to access them as the linked Entra ID user.
Logout
Verify you can log out of DAI.
- From DAI, click Logout.
- You may briefly see a screen that informs you that you are being logged out, or a confirmation page that recommends you close your browser.
- If Entra ID redirects you back to Keycloak, then DAI redirects you to back to the login screen.
View My Account Details
Verify that you can see your account details.
- Log into DAI (see First Login above).
- Navigate to System > My Account. The My Account page is read-only with SSO enabled. The reason for this is that any changes you made in DAI/Keycloak would be overwritten the next time you log in with the data from AD.
Update Account Details
This scenario simulates an update to a user's details in Entra ID by temporarily altering Keycloak's copy of that user. A subsequent login should then correct this disparity.
With a user account that has logged into DAI at least once, verify you can update their account details:
- From the Keycloak Admin Console, edit the user’s details, for example, change their family name.
- Logout.
- Log in again as the same user.
- Navigate to System > My Account.
- Confirm that your changes were reverted.
Access DAI as an Admin
Verify that you can access DAI as an Admin user:
- Follow the First Login flow to ensure you log in as a user with DAI Admin permissions. You could run similar tests to confirm that users configured with either DAI Users or DAI Viewers roles have the correct permissions when they access DAI.
- Navigate to System > Access > Manage Users. Only Admins can manage users. So, if you can access this page then you are assigned the correct role. You should see a locked-down version of the Manage Users screens where most operations are read-only.
That concludes the SSO verification steps.