DAI includes Keycloak to manage user authentication and asset permissons. Beginning with DAI 7.1, you can configure Keycloak to enable single sign-on (SSO) using your company's identity and access management provider. This means users can log into multiple systems, including DAI, with one set of credentials.
DAI supports integration with the following identity providers for SSO:
- Microsoft Active Directory Federation Service (ADFS) with either OIDC and SAML v2
- Microsoft Entra ID with OIDC and SAML v2
Your SSO configuration will be different depending on the configuration of your identity provider (ADFS or Azure Entra ID) and the protocol (SAML or OIDC). If you’re interested in enabling SSO in your DAI installation, please contact your technical success manager or customer support. We can provide you with configuration guides specific to your configuration and work with you to make your integration a success.
What Does It Mean to Use SSO with DAI?
When you enable SSO with DAI, you can do the following:
Log in once with one set of credentials, and be authenticated by your identity provider (ADFS or Entra ID) to access to multiple systems, including DAI as described above.
Log out once, to log out of multiple systems at once, including DAI.
Manage DAI roles (Users, Admininstrators, Viewers) centrally in your identity provider. For example, you can use Application Roles in Entra ID or Security Groups in ADFS.
Manage the following user management tasks centrally in your identity provider:
Creating and editing users
Managing credentials and configuring multi-factor authentication
Enabling SSO in Keycloak and managing users in your identity provider, disables the user management options under Access and My Account in DAI.
Assigning Roles to Users
You can integrate SSO into pre-existing DAI installations. The SSO integration includes features to join existing DAI users with corresponding user accounts from your identity provider. This account association maintains users' asset permissions, such as access to models.
You enable SSO after you finish installing DAI 7.1.0 or above.
The following gives you an idea of what enabling SSO involves on the identity provider and in DAI.
On the identity provider:
Create and configure an application:
- For Entra ID: configure Enterprise Application and App Registration.
- For ADFS: configure Relying Party Trust or Application Group.
Configure the claims that DAI needs by creating a claim mapping:
- For Entra ID OIDC claim mapping: configure Optional Claims and OIDC Permissions.
- For Entra ID SAML claim mapping: configure Attributes & Claims in that Single Sign-on configuration.
- For ADFS claim mapping: configure Issuance Transform Rules or Claim Issuance Policies.
In DAI's Keycloak, add an Identity Provider integration to Keycloak as follows. For more information about enabling SSO in Keycloak, please see the Keycloak documentation.
Create an inbound Claim Mapping to process the inbound claims.
Configure the Authentication Flow in DAI so that SSO is the only authentication option available.
Configuration of the above tasks in DAI Keycloak is fully automated (via a command line tool we provide) based on a metadata file you can extract from your identity provider.