MicroStrategy ONE

Enable OIDC Authentication with AWS Databricks Using Databricks Identity Provider

Starting in MicroStrategy ONE Update 11, MicroStrategy supports integrating MicroStrategy with AWS for sign-sign on (SSO) with OpenID Connect (OIDC) authentication.

Learn to configure Databricks OIDC authentication with AWS using Databricks Identity Provider (IDP):

Prerequisites

You must have the E2 version of the Databricks platform for your Databricks on AWS account.

Add a User in Account Console and Workspace

  1. Log in as an Administrator to https://accounts.cloud.databricks.com/.
  2. In the navigation menu, click User management.
  3. Click Add user.
  4. Enter the user email address and click Save.
  5. Log in to the workspace using your Administrator credentials. The URL is similar to https://<deploymentName>.cloud.databricks.com.
  6. Click your username and select Admin Settings from the drop-down.
  7. Click Add user.
  8. Enter the user email address.
  9. Click Invite, then Give user access.

Set Up SSO for Your Databricks Account Console and Workspace

Configure Account Console

  • Configure SSO using OIDC for your AWS Databricks account console using Azure AD, Okta, or OneLogin. For more information, see https://docs.databricks.com/administration-guide/account-settings-e2/single-sign-on/index.html#enable-account-single-sign-on-authentication-using-oidc and https://docs.databricks.com/administration-guide/account-settings-e2/single-sign-on/index.html#enable-sso.

    • Configure Databricks Workspace

    If your account was created after June 21, 2023, unified log in is enabled on your account and no further action for this perquisite is needed.

    If your account was created before June 21, 2023, unified log in is not enabled on your account. The single-sign-on (SSO) for your account and for each workspace is managed separately. You must configure SSO to the same identity provider at the account level and on your workspaces. For more information, see https://docs.databricks.com/administration-guide/users-groups/single-sign-on/index.html#workspace-sso-application-examples.

    To configure SSO for Azure AD or Okta, see the following links:

    Configure an Application in Databricks Internal Identity Provider

    Authenticate to the Account API

    1. Create a .netrc file with machine, login, and password properties:

      2. Copy 
      echo machine accounts.cloud.databricks.com login <username> password <password> >> ~/.netrc

      Replace <username> and <password> with the account administrator's email address and password.

      If you have a $ in your password, enter \ before the $.

    2. Enter -n in your curl command to invoke the .netrc file.

    Enroll Your Databricks Account into OAuth

    1. Run the following command to invoke the .netrc file enroll your Databricks account:

      2. Copy 
      curl -n -X POST https://accounts.cloud.databricks.com/api/2.0/accounts/<accountId>/oauth2/enrollment

      Replace <accountId> with your account ID.

    2. Run the following command to verify that you Databricks account is enrolled in OAuth:

      3. Copy 
      curl -n -X GET https://accounts.cloud.databricks.com/api/2.0/accounts/<accountId>/oauth2/enrollment

      Replace <accountId> with your account ID.

    Create an Application in Databricks Internal Identity Provider

    You can create a native or web application to connect to databricks using OAuth. If you are using Workstation to use the OAuth connection, you should create a native application. If you are using Web to use the OAuth connection, you should create a web application.

    Create a Native Application

    1. Run the following command to create a native application:

      2. Copy 
      curl -n -X POST -d '{"redirect_urls": [ "<Workstation URI>", "<Library Web URI>", "<Authoring Web URI>",  "<Redirect URI 4>"], "confidential": false, "name": "<CustomNativeAppName>"}' https://accounts.cloud.databricks.com/api/2.0/accounts/<accountId>/oauth2/custom-app-integrations

      Replace <CustomNativeAppName> with your application name and <accountId> with your account ID.

      Replace the URI names with the URIs that can be found in MicroStrategy Workstation when you configure an authentication service:

      1. Open the Workstation window.

      2. In the Navigation pane, click , next to Enterprise Security.
      3. Choose an environment.
      4. From the identity provider drop-down, select Generic OAuth.

    2. Once you run the command, a client ID is generated and an output similar to the following is returned:

      3. Copy 
      {"integration_id":" <Integration ID>","client_id":" <Client ID>","client_secret":""}

    3. Note the client ID and client secret as these will be used to configure authentication service.

    Create a Web Application

    1. Run the following command to create a web application and generate a client ID and client secret:

      2. Copy 
      curl -n -X POST -d '{"redirect_urls": [ "<Authoring Web URI>", "<Other Redirect URI>"], "confidential": true, "name": "<CustomWebAppName>"}' https://accounts.cloud.databricks.com/api/2.0/accounts/<accountId>/oauth2/custom-app-integrations

      Replace <CustomNativeAppName> with your application name and <accountId> with your account ID.

      Replace the URI names with the URIs that can be found in MicroStrategy Workstation when you configure an authentication service:

      1. Open the Workstation window.

      2. In the Navigation pane, click , next to Enterprise Security.
      3. Choose an environment.
      4. From the identity provider drop-down, select Generic OAuth.

    2. Note the client ID and client secret as these will be used to configure authentication service.

    API for Integration Application

    Use the following links and commands to list, delete, and update your application:

    • To list your applications, see https://accounts.cloud.databricks.com/api/2.0/accounts/<accountId>/oauth2/custom-app-integrations. Replace <acountId> with your ID.

    • To delete an application, run the following command:

      • Copy 
      curl -n -X DELETE https://accounts.cloud.databricks.com/api/2.0/accounts/<Account ID>/oauth2/custom-app-integrations/<Integration ID>

      Replace <Account ID> and <Integration ID> with your account and integrations IDs.

    • To update an application, run the following command:

      • Copy 
      curl -n -X PATCH -d '{ "redirect_urls" : "<Redirect_URL1>", "<Redirect_URL1>", "<Redirect_URL13>"], "confidential" : false, "name" : "<app-name>" }' https://accounts.cloud.databricks.com/api/2.0/accounts/<accountId>/oauth2/custom-app-integrations/<application-integration-id>

      Replace <app-name> with your application name and <accountId> and <application-integration-id> with your account and application integration IDs.

      Replace the URL names with the URIs that can be found in MicroStrategy Workstation when you configure an authentication service:

      1. Open the Workstation window.

      2. In the Navigation pane, click , next to Enterprise Security.
      3. Choose an environment.
      4. From the identity provider drop-down, select Generic OAuth.

    For more information, see https://docs.databricks.com/api/account/customappintegration.

    Configure MicroStrategy for AWS Databricks OIDC Authentication

    Create and Map a MicroStrategy User to a Custom IDP User in Workstation

    1. Open the Workstation window.
    2. In the Navigation pane, click Environments.
    3. Log in to your environment with administrator privileges.
    4. In the Navigation pane, click Users and Groups.
    5. Click next to All Users.
    6. In the left pane, click Privileges and add the following privileges:
    • Access data from Databases, Google BigQuery, BigData, OLAP, BI tools
    • Create and edit database instances and connections
    • Create and edit database logins
    • Create configuration objects
    • Create dataset in Workstation
    • Configure project data source
    • Monitor Database Connections
    • Use Workstation

    1. In the left pane, click Authentication.
    2. Enter a user's email address in Trusted Authenticated Requires User ID.

    3. Click Save.

    Configure MicroStrategy Library in Workstation

    1. Open the Workstation window.
    2. Connect to your Library environment using standard authentication. You must have administrator privileges.
    3. Right-click your connected environment and click Configure Enterprise Security > Configure OIDC.
    4. From the identity provider drop-down, select Others.

    5. Copy the Mobile and desktop applications Redirect URIs and add them to the native application URIs using the API for Integration App.
    6. In MicroStrategy Configuration, enter your Client ID and Issuer. Issuer is similar to https://<accountId>.cloud.databricks.com/oidc.
    7. Expand the Advanced drop down in User Mapping.
    8. Insert the following scopes in Scopes:
    • openid
    • profile
    • email
    • offline_access
    • sql

    1. Click Save.
    2. Restart the web server.

    For more information on enabling OIDC authentication, see Enable Single Sign-On with OIDC Authentication.

    Test the OIDC Connection

    1. Open the Workstation window.

    2. Check that the environment is using the Default OIDC authentication mode.

      1. Log in to your MicroStrategy environment.
      2. In the Navigation pane, click Environments.
      3. Right-click the environment you are using and click Edit Environment Information.
      4. Verify that Default OIDC is selected in Authentication Mode.
    3. In the Databricks IDP log in page, click Single Sign On and sign in.
    4. In the MicroStrategy Navigation pane, click next to Datasets.
    5. Click Data Import Cube, then click OK.
    6. Select the Databricks gateway.
    7. Select the data source that you created.
    8. The namespaces and tables display.

    Limitations

    The OIDC workflow functions correctly in MicroStrategy Workstation. However, note that seamless operation may not be guaranteed in MicroStrategy Library and Web environments due to Databrick's lack of support for nonce validation. Databricks is actively working to resolve this issue and MicroStrategy is closely monitoring their progress. MicroStrategy will communicate any updates or improvements that may address this limitation.