Integrate MicroStrategy with Microsoft Entra ID OIDC Single Sign-On

Starting in MicroStrategy ONE (December 2024), you can use the Denodo JDBC driver to implement OIDC Single Sign-On with Microsoft Entra ID.

Configure Your Application in Microsoft Entra ID

Configure a Microsoft Entra ID application for Denodo OAuth to add the additional permission for Denodo.

For more information, see Quickstart: Register an Application with the Microsoft Identity Platform.
Go to your newly created app and in the left pane, click Authentication.
In Allow public client flows, toggle Enable the following mobile and desktop flows to Yes.
In the left pane, click Certificates & secrets under Manage.
In Client secrets, click New client secret.
Enter a Description and Expires value.
Click Add and note the client secret value for later use.
In the left pane, click Expose an API under Manage.
Click Add a scope.
Type a Scope name.

The scope name should be the same name as the role in the database.

For Denodo, scopes are the names of roles. Once Denodo has the scopes of the token, it obtains the roles with the same names and executes the request with the privileges granted to these roles.
Type an Admin consent display name and Admin consent description.
Click Save.
In the left pane, click API permissions and click Add a permission.
Click the My APIs tab and select your application.
Select the check box next to the custom scope you created and click Add permissions.
In the left pane, click Manifest and check if the requestedAccessTokenVersion is set to 2.

If the value is not 2, update it to 2, and click Save.

For more information on enabling OAuth in Denodo, follow the instructions in the JWT section of Enabling OAuth Authentication.

Open the Denodo Administration Tool and log in with an Administrator account.
In the menu, click Administration and Server configuration.
Click Server authentication and OAuth.
Define the following values:
- Select a validation mode: Select Use JWT.
- Select the signing algorithm: Choose RS256.
- Issuer: Use the value from your OpenID configuration. To find this value, use https://login.microsoftonline.com/<tenant_id>/v2.0/.well-known/openid-configuration.
- JWKS URL: Use the value from your OpenID configuration. To find this value, use https://login.microsoftonline.com/<tenant_id>/v2.0/.well-known/openid-configuration.
- Audience: Enter your Entra ID application client ID.
- Scope field name: Type scp.
Click OK.
To create roles in Virtual DataPort and grant them the appropriate privileges, see Creating Roles.

The role name is used in Expose an API in the Entra ID application.

Open the Workstation window.
Connect to an environment.
Create an IAM object using Manage OAuth Enterprise Security with Identity and Access Management (IAM) Objects.

Use the Client ID and Client Secret from your Microsoft Entra ID application.

For Scope, use the following format: openid offline_access profile api://<client id>/<scope name>. api://<client id>/<scope name> can be found in your Entra ID application under Expose an API.
In the Navigation pane, click ,next to Data Sources.
Search and choose Denodo from the data source list.
In the Default Database Connection drop-down list , click Add New Database Connection.
Type a Name.
In the Driver drop-down list, choose the Denodo JDBC driver.
Type a Server Name, Port Number, and Database.
In the Authentication Mode drop-down in the Basic tab, choose OIDC Single Sign-On.
In the Authentication Service drop-down list, choose the authentication service you created above or click Add New Authentication Service.

For more information on creating Identity and Access Management objects, see Manage OAuth Enterprise Security with Identity and Access Management (IAM) Objects.
Click Save.
In the Add Data Source dialog, enter a Name and Database Version, and optionally choose Projects for further data manipulation.
Click Save.

Open the Workstation window.
Connect to an environment.
In the Navigation pane, click Users and Groups.
Click next to All Users.
Type a Full Name, Email Address, Username, and other optional fields.
In the left pane, click Privileges and select the checkbox next to the following privileges:
- Access data from Databases, Google BigQuery, Big Data, OLAP, BI tools
- Create and edit database instances and connections
- Create and edit database logins
- Create configuration objects
- Create dataset in Workstation
- Configure project data source
- Monitor Database Connections
- Use Workstation
In the left pane, click Authentication.
In Trusted Authentication Request User ID, type the Microsoft Entra ID user's email address.
Click Save.

Open Workstation and connect to your environment using standard authentication and administrator credentials.
Right-click the connected environment and choose Configure OIDC under Configure Enterprise Security.
In step 2, choose Azure from the drop-down list.
Copy the MicroStrategy Library URI and Workstation URI into the mobile and desktop application's sign-in redirect URIs in the Microsoft Entra ID application you created.
In the Microsoft Entra ID left pane, click Manifest under Manage.
Click the AAD Graph App Manifest tab and click Download.
In MicroStrategy Workstation, upload the manifest file in MicroStrategy Configuration.
Click Save.
Restart the web server.

Open the Workstation window.
Connect to an environment.
Right-click the environment and choose Environment under Edit.
Select Default OIDC and click Continue.
A browser displays. Log in using your Microsoft Entra ID credentials.
Use a MicroStrategy Administrator account to assign privileges to the new user.

You do not need to perform this step if you mapped a MicroStrategy user to an Entra ID account and granted privileges.
In the Navigation pane, click ,next to Datasets.
Choose a Project and select Data Import Cube.
Click OK.
Choose the data source you created.

The namespaces and tables display.