MicroStrategy ONE

Integrate MicroStrategy with Azure AD OIDC for Google BigQuery Single Sign-On

The Azure AD OIDC for Google BigQuery Single Sign-On is the simplest data source connection for users because it leverages MicroStrategy authentication and users only need to sign in once.

Before following the steps below, you must create an Azure App and note it's Client ID, Client Secret, and Directory/Tenant ID. You must also have access to at least one Azure account.

Create and Map a MicroStrategy User to the Azure AD User

  1. Open the Workstation window with the Navigation pane in smart mode.
  2. In the Navigation pane, click Environments.
  3. Log into your environment. You must have the Administrator privileges.
  4. In the Navigation pane, click Users and Groups.
  5. Click the plus icon (+) next to All Users and enter the required fields.
  6. In the left pane, click Privileges and add the following privileges:
    • Create dataset in Workstation
    • Access data from Databases, Google BigQuery, BigData, OI
    • Create configuration objects
    • Monitor Database Connections
    • Create and edit database instances and connections
    • Create and edit database logins
    • Configure project data source
    • Use Workstation
  7. In the left pane, click Authentication.
  8. Enter your Azure AD email address in Trusted Authenticated Request User ID.

For more information on mapping existing users, see Mapping OIDC Users to MicroStrategy.

Integrate OIDC Support with Azure AD

Integrate your MicroStrategy applications with Azure AD using OIDC authentication by following Integrating OIDC Support with Azure AD. You do not need to perform the steps in the Configure and Enable OIDC Auth Mode for MicroStrategy Web/MicroStrategy Mobile section.

Setup Google Workforce Identity Federation

You must set up gcloud utility to perform the following procedure. For more information on setting up gcloud utility, see gcloud CLI overview.

  1. Set the default billing/quota project using the following command:
Copy 
gcloud config set billing/quota_project google-project-id
  1. Create a Google Workforce identity pool using the following command and replace the organization value with your Google organization ID:
Copy 
gcloud iam workforce-pools create azure-ad-workforce-identity-pool \
    --organization=123456789012 \
    --description="Azure AD Workforce Identity Pool" \
    --location=global

  1. Create a Workforce pool provider using the following command. Replace 4ca8943a-c1a7-4bfe-868e-c5bdb4d59fee with your Azure AD directory or tenant ID and replace 92e890be-8367-4f57-84ea-9cd34cc0e5cd with your Azure AD application or client ID.

Copy 
gcloud iam workforce-pools providers create-oidc azure-provider \
    --workforce-pool=azure-ad-workforce-identity-pool \
    --display-name="Azure AD Provider" \
    --description="Azure AD Workforce Identity Pool" \
    --issuer-uri="https://login.microsoftonline.com/4ca8943a-c1a7-4bfe-868e-c5bdb4d59fee/v2.0" \
    --client-id="92e890be-8367-4f57-84ea-9cd34cc0e5cd" \
    --attribute-mapping="google.subject=assertion.preferred_username" \
    --location=global

  1. Set the workforce pool privileges for your organization's needs and set the following minimum privileges:

Copy 
gcloud projects add-iam-policy-binding microstrategy-sr \
    --role="roles/bigquery.dataViewer" \
    --member="principalSet://iam.googleapis.com/locations/global/workforcePools/azure-ad-workforce-identity-pool/*"

gcloud projects add-iam-policy-binding microstrategy-sr \
    --role="roles/bigquery.jobUser" \
    --member="principalSet://iam.googleapis.com/locations/global/workforcePools/azure-ad-workforce-identity-pool/*"

gcloud projects add-iam-policy-binding microstrategy-sr \
    --role="roles/serviceusage.serviceUsageConsumer" \
    --member="principalSet://iam.googleapis.com/locations/global/workforcePools/azure-ad-workforce-identity-pool/*"
  1. Make note of your Google Audience URI.

Create an Enterprise Security Object

Follow the steps in Manage OAuth Enterprise Security with Identity and Access Management (IAM) Objects to create an enterprise security object.

Create Google BigQuery JDBC or ODBC Data Source with OAuth OBO

  1. Open the Workstation window with the Navigation pane in smart mode.
  2. In the Navigation pane, click the plus icon (+) next to Data Sources.
  3. Select Google BigQuery.
  4. Enter a name for the data source and select the project(s) that will use it.
  5. Expand the Default Database Connection drop-down and click Add New Database Connection.

  6. The Create New Database Connection module appears.

  7. Enter values in the following fields:
    • Name: A name for the database connection.
    • Driver Type: Select "JDBC" or "ODBC".
    • Billing Project: The Google billing project ID.
    • Authentication Mode: Select "OAuth On-Behalf-Of".
    • Authentication Service: The enterprise security object that you created above.
    • Audience: The Audience URI that you created above.
  1. Click Save.
  2. Click Save.

Test the Google BigQuery Data Source

  1. Open the Workstation window with the Navigation pane in smart mode.
  2. Check that the environment is using the Default OIDC authentication mode.
    1. Click Environments in the Navigation pane.
    2. Right-click the environment you want to use and click Edit Environment Information.
    3. Check that the Authentication Mode is set to "Default OIDC".
  1. Login to your MicroStrategy environment using your Azure AD username and password.
  2. In the Navigation pane, click the plus icon (+) next to Datasets.
  3. Select Data Import Cube and click Ok.
  4. Select Google BigQuery (Driver) or Google BigQuery (JDBC).
  5. Leave Select Tables selected and click Next.
  6. Select the GBQ_JDBC_Azure_OBO data source.
  7. The projects and datasets list displays.