Enabling SSO in DAI with Entra ID and OIDC
This page describes the steps necessary to configure Single Sign-On (SSO) between DAI and Microsoft Entra ID (formerly "Azure AD") using the OpenID Connect (OIDC) protocol. It describes how Entra ID and DAI's embedded identity and access management provider (Keycloak) can be configured to integrate with one another. You can see a summary of the steps involved in this process in the page menu on the right side of this page.
Intended Audience: This topic is intended for DAI Administrators considering an SSO integration.
For more information about the benefits of integrating SSO with DAI, see How Does Single Sign-On (SSO) Work with DAI?. For information about integrating with Entra ID and the SAML v2 protocol, see Enabling SSO in DAI with Entra ID and SAML v2.
This page provides specific instructions for configuring Keycloak and an example of how Entra ID might be configured. Every organization's identity management configuration is different and mis-configuration can have significant consequences, so your final designs and roll-out plans must be to your own specifications. If your Entra ID configuration is incompatible with the example provided here, please contact our Customer Support to see how we can help.
Prerequisites
To integrate DAI with Entra ID, your environment must meet the following prerequisites for Entra ID, DAI, and Networking.
Component | Requirement |
---|---|
Entra ID | Components: * Your organization must have a Microsoft Azure Account that you can use to configure Microsoft Entra ID. Users and Groups in Entra ID: - The users that need to access DAI must already exist in Entra ID. - You can optionally create groups in Entra ID to represent the DAI Administrator, User, and Viewer roles. Or, you can map users directly to Entra ID application roles when you create your application as described in 3. Create Application Roles below. |
DAI | - If you have an existing DAI installation with local users in Keycloak, you can still enable SSO. Keycloak can join and convert these local accounts into SSO-integrated user accounts on the users' first SSO login. Linking your accounts this way is beneficial because your users will not lose access to any of their models. If your local usernames do not align to the usernames in Entra ID, you can change them by configuring Keycloak to temporarily allow this. See Editing Usernames for SSO for instructions. If you are using Eggplant Cloud, please contact our Customer Support for assistance. - You need at least one user account (preferably a DAI Administrator account) in Entra ID that you can use to verify your SSO integration. Successfully logging into DAI with this user verifies your SSO integration succeeded. If your DAI installation is on-premises ("on-prem"), rather than hosted in Eggplant Cloud, you need to verify the following: - If you are configuring an existing system, please back up your DAI system in the same way you would if you were upgrading DAI to a newer version. See Install or Upgrade Eggplant DAI on Windows for information about backing up DAI. This helps to ensure that users do not lose access to their data if something unexpected occurs during the integration. - DAI 7.1 or above must be installed. Enabling SSO is a separate process that can be performed after DAI is installed. - DAI must be set up to use Transport Layer Security (TLS). See Run an Advanced Install for information about setting up DAI to use TLS. Active Directory will not integrate with a DAI installation that uses plain HTTP. |
Network | - If you are not using Eggplant Cloud, you need to verify that Keycloak can make HTTPS calls to Entra ID on the ports that Entra ID is configured to use (typically 443). - End-user’s workstations must have access to Entra ID login screens and SAML endpoints. * Entra ID must be able to make HTTPS calls to Keycloak so that when users log out of one system, they are logged out of any others. |
Setting up an Application Integration in Entra ID
The following steps summarize the process for setting up an application integration for DAI in Entra ID.
1. Create an Application in Entra ID
The following steps describe how to create an application in Entra ID. For more information about creating an application in Entra ID, see Quickstart: Register an app in the Microsoft identity platform - Microsoft identity platform.
-
In Entra ID, select Enterprise Applications and then click Create your own application from the top menu.
-
Fill in the information about your application (your DAI instance) as follows:
Field Name Value What is the name of your app? An arbitrary name you want to assign to this Enterprise Application. These examples use the name Eggplant Test
for the application. (See the note below).What are you looking to do with your application? Select the option: Integrate any other application you don't find in the gallery (non-gallery). ノートIf you have a complex setup with multiple instances of Eggplant Test, you need to be able to distinguish the instances. For example, name one of your instances Eggplant Test (production) to distinguish it from the other instances.
-
Click Create. A details page for this new application opens.
2. Configure the App Registration
-
Navigate back to the Entra ID landing page and select App Registrations from the left navigation menu.
-
Select All applications and search for the application you just created for DAI (for example, Eggplant Test).
-
When you find your application, click it to bring up the details.
-
Amend the manifest by selecting Manifest from the left navigation menu and ensuring the following attributes are added or updated in the JSON:
"accessTokenAcceptedVersion": 2
"tags": [
"WindowsAzureActiveDirectoryIntegratedApp"
] -
Click Save.