Skip to main content
Version: DAI 7.4

Enabling Single Sign-on (SSO) Authentication in DAI

DAI includes Keycloak to manage user authentication and asset permissions. Beginning with DAI 7.1, you can configure Keycloak to enable single sign-on (SSO) using your company's identity and access management provider. This means users can log into multiple systems, including DAI, with one set of credentials.

note

You enable SSO after you finish installing DAI version 7.1.0 or higher.

Intended Audience: This topic is intended for DAI Administrators considering an SSO integration.

DAI supports integration with Microsoft Entra ID as an identity provider for SSO with either the OpenID Connect (OIDC) or Security Assertion Markup Language (SAML) v2 protocols.

We encourage you to read on for a high-level understanding of how DAI integrates with an identity provider. For more information about how the integration works, see How Does Single Sign-On(SSO) Work in DAI?.

Your SSO configuration will be different depending on the configuration of your identity provider:

Let's Work Together

If you have any questions about integrating with these identity providers, please contact our Customer Support.

What Does It Mean to Use SSO with DAI?

When you enable SSO with DAI, you can do the following:

  • Log in once with one set of credentials, and be authenticated by your identity provider (Entra ID) to access to multiple systems, including DAI as described above.
  • Log out once, to log out of multiple systems at once, including DAI.
  • Manage DAI roles (Users, Administrators, Viewers) centrally in your identity provider.
  • Manage the following user management tasks centrally in your identity provider:
    • Creating and editing users
    • Managing credentials and configuring multi-factor authentication
note

Enabling SSO in Keycloak and managing users in your identity provider, disables the user management options under Access and My Account in DAI.

Assigning Roles to Users

You can integrate SSO into pre-existing DAI installations. The SSO integration includes features to join existing DAI users with corresponding user accounts from your identity provider. This account association maintains users' asset permissions, such as access to models.

Configuration

The following gives you an idea of what enabling SSO involves on the identity provider and in DAI. As noted above, you enable SSO after you finish installing DAI (version 7.1.0 or higher).

On the identity provider:

  • Create and configure an application:
    • For Entra ID: this means configuring an Enterprise Application and an App Registration.
  • Configure the claims that DAI needs by creating a claim mapping:
    • For Entra ID OIDC claim mapping: this means configuring Optional Claims and OIDC Permissions.
    • For Entra ID SAML claim mapping: this means configuring Attributes & Claims in that Single Sign-on configuration.

In DAI's Keycloak, add an Identity Provider integration to Keycloak as follows. For more information about enabling SSO in Keycloak, please see the Keycloak documentation.

note

Configuration of the above tasks in DAI Keycloak is fully automated (via a command line tool we provide) based on a metadata file you can extract from your identity provider.

After reading this summary, consider reading How Does Single Sign-On (SSO) Work in DAI? for information about how the integration works.