How Does Single Sign-On (SSO) Work in DAI?
Enabling single sign-on (SSO) allows DAI to use an external identity provider, such as Microsoft Entra ID, to manage and authenticate users. When SSO is enabled, DAI integrates the user management and authentication features of the identity provider with its embedded identity and access management (IAM) provider, Keycloak. This page provides a brief summary of how you can implement SSO with DAI.
Intended Audience: This topic is intended for DAI Administrators considering an SSO integration.
DAI supports integration with Microsoft Entra ID (formerly “Azure AD”) as an identity provider with the either the OpenID Connection (OIDC) or Security Assertion Markup Language (SAML) v2 protocols. Below are links to information about these options:
We recommend reading the rest of this page before you read the pages linked below for a better understanding of how the integration works before you begin to configure it.
-
For information about integrating with Entra ID and OIDC, see Enabling SSO in DAI with Entra ID and OIDC.
-
For information about integrating with Entra ID and SAML v2, see Enabling SSO in DAI with Entra ID and SAML v2.
When we talk about SSO integration with DAI, we're talking about its embedded access and identity provider: Keycloak.
How it works
The following diagram summarizes how user data is maintained and shared between DAI and your identity provider.
Where are User and Asset Data Stored?
When SSO is enabled for DAI, the user data are managed by the identity provider and the asset data and access control are managed by Keycloak as described below.
The Identity Provider Manages User Data
Users and their credentials are created and managed exclusively by the identity provider (MS Entra ID). The assignment of roles to users (DAI Viewer, User, or Admin) is also managed exclusively by the identity provider. When users log into DAI for the first time, Keycloak creates a copy of the user based on the information it receives from the identity provider.
DAI Manages Model Access
DAI (specifically, Keycloak) continues to own and manage its access groups and membership of those groups. DAI access groups are not stored in the identity provider and play no part in SSO, they are unrelated to groups in your identity provider. DAI uses groups to manage access control to DAI models.
Keycloak keeps a copy of the users and their role assignments and aligns it with data from the identity provider each time a user logs in.