Configuring SSO with Azure Active Directory / Entra ID
This page will explain how to enable Single Sign On (SSO) via your Azure Active Directory service and use AD groups to manage roles in KADA. The authentication method used is Open ID connect (Oauth 2.0)
There are 4 keys steps to enable SSO.
This function is restricted to K Administrators
Step 1. Register K in your Azure Active Directory
Log in to your company’s Azure Portal and open the Azure Active Directory page
Select App Registration in the side panel and click New registration
Complete the registration form.
Follow your company’s standard policy for the Supported account types
Leave the Redirect URL blank. We will complete this later
Click on the newly created KADA App
Save the Application (client) ID for use in a later step
Click on Endpoints and save the URL for OpenID Connect metadata document for use in a later step
Select Certificates & secrets in the side panel and click New client secret
Complete the new secret form and save the Secret Value for use in a later stope
Select API permissions in the side panel and click Grant admin consent for [tenant]. This will allow the application to read and authenticate requests
Make sure you’ve saved the following information for easy access in the next process. If a different team is responsible to completing the Keycloak steps, make sure you include the below information in the request.
Application (client) ID
URL for OpenID Connect metadata document
Secret value
Step 2. Connecting K to your Azure Active Directory
Log into to your K platform instance ([customer].kada.ai)
Select Platform Settings in the side bar
In the pop-out side panel, under Administrations, click on Customisation
Under Platform Setup, toggle on Enable Single Sign On
Click on Configure Single Sign On
Select Identity Providers in the side panel and click Add Provider
Choose OpenIDConnect v1.0 from the drop down list
Go to Discovery endpoint and paste the URL for OpenID Connect metadata document that you copied in the previous step
Update the following information
Alias - The alias cannot have any characters that require url encoding eg spaces. Copy this name if you plan to only allow SSO identities and disable local user logins.
Display Name - This is the name that users select on the Log In page to access via SSO (see below screenshot where the display name was “Sign in with Azure AD”
Client Authentication - Set to Client secret sent as basic auth
Client ID - Paste the Application (client) ID saved from the previous step
Client Secret - Paste the Secret Value saved from the previous step
Copy the Redirect URL for use in a later step
The below Log In option will now appear the next time you try to log in to KADA
Step 3. Complete Azure Active Directory Setup
Log in to your company’s Azure Portal and open the Azure Active Directory page
Select the App Registration tab and open the KADA App you created in Step 1
Select Authentication from the side panel and click Add a platform
Select Web, paste the URL Redirect URL you copied when setting up Keycloak and click Save
Step 4. Create AD Groups in Azure
To fully utilise the capabilities of K, we need to create 5 new AD groups in Azure and 5 new roles in the Azure KADA app to align with the KADA role groups:
Log in to your company’s Azure Portal and open the Azure Active Directory page
Select Groups in the side panel and click on New Group. Create 5 Groups that align to the 5 roles In KADA
Administrator
Business User
Data Worker
Data Manager
Data Governance Manager
Select App registrations in the side panel and click on the newly created KADA App
Select App roles in the side panel and click Create app role
Create 5 roles using the information in the following table
Display Name | Value |
|---|---|
Administrator | kada_admin |
Business User | kada_business_user |
Data Worker | kada_user |
Data Manager | kada_manager |
Date Governance Manager | kada_data_gov_manager |