Enabling Single Sign-on (SSO) Authentication in DAI
DAI includes Keycloak to manage user authentication and asset permissions. Beginning with DAI 7.1, you can configure Keycloak to enable single sign-on (SSO) using your company's identity and access management provider. This means users can log into multiple systems, including DAI, with one set of credentials.
Intended Audience: This topic is intended for DAI Administrators considering an SSO integration.
DAI supports integration with Microsoft Entra ID as an identity provider for SSO with either the OpenID Connect (OIDC) or Security Assertion Markup Language (SAML) v2 protocols.
We encourage you to read on for a high-level understanding of how DAI integrates with an identity provider. For more information about how the integration works, see How Does Single Sign-On(SSO) Work in DAI?.
Your SSO configuration will be different depending on the configuration of your identity provider:
- If you want to integrate with Entra ID and OIDC, see Enabling SSO in DAI with Entra ID and OIDC.
- If you want to integrate Entra ID and SAML v2, see Enabling SSO with Entra ID and SAML v2.
If you have any questions about integrating with these identity providers, please contact our Customer Support.
What Does It Mean to Use SSO with DAI?
When you enable SSO with DAI, you can do the following:
-
Log in once with one set of credentials, and be authenticated by your identity provider (Entra ID) to access to multiple systems, including DAI as described above.
-
Log out once, to log out of multiple systems at once, including DAI.
-
Manage DAI roles (Users, Administrators, Viewers) centrally in your identity provider.
-
Manage the following user management tasks centrally in your identity provider:
-
Creating and editing users
-
Managing credentials and configuring multi-factor authentication
-
Enabling SSO in Keycloak and managing users in your identity provider, disables the user management options under Access and My Account in DAI.
Assigning Roles to Users
You can integrate SSO into pre-existing DAI installations. The SSO integration includes features to join existing DAI users with corresponding user accounts from your identity provider. This account association maintains users' asset permissions, such as access to models.
Configuration
You enable SSO after you finish installing DAI 7.1.0 or above.
The following gives you an idea of what enabling SSO involves on the identity provider and in DAI.
On the identity provider:
-
Create and configure an application:
- For Entra ID: this means configuring an Enterprise Application and an App Registration.
-
Configure the claims that DAI needs by creating a claim mapping:
- For Entra ID OIDC claim mapping: this means configuring Optional Claims and OIDC Permissions.
- For Entra ID SAML claim mapping: this means configuring Attributes & Claims in that Single Sign-on configuration.
In DAI's Keycloak, add an Identity Provider integration to Keycloak as follows. For more information about enabling SSO in Keycloak, please see the Keycloak documentation.
-
Create an inbound Claim Mapping to process the inbound claims.
-
Modify the Keycloak Realm to use SSO-specific Themes for user administration tasks (as described in What Does It Mean to Use SSO with DAI? above).
-
Configure the Authentication Flow in DAI so that SSO is the only authentication option available.
Configuration of the above tasks in DAI Keycloak is fully automated (via a command line tool we provide) based on a metadata file you can extract from your identity provider.
After reading this summary, consider reading How Does Single Sign-On (SSO) Work in DAI? for information about how the integration works.