Integrate MicroStrategy with Microsoft Entra ID Single Sign-On

Starting in MicroStrategy ONE (September 2024), you can use Redshift Native JDBC drivers to implement OIDC Single Sign-On with Microsoft Entra ID.

Integrate Redshift Native IdP Federation with Microsoft Entra ID

1. Follow Set Up Your Azure Application in Integrate Amazon Redshift Native Idp Federation with Microsoft Azure AD Using a SQL Client to set up your OAuth App and Client App Azure Applications.

2. Follow Collect Azure AD Information in Integrate Amazon Redshift Native Idp Federation with Microsoft Azure AD Using a SQL Client to save information for your later configuration.

   When you check the Manifest section, switch to AAD Graph App Manifest to find the access token version.

   Client_id and client_secret are from the Client App you created in step 1 and Audience is from the OAuth App you created in step 1.

3. Configure IdP on Amazon Redshift:

   1. Log in to Amazon Redshift with superuser credentials using query editor v2 or any SQL client.

   2. Create an Identity Provider in Redshift using the following SQL template:

      Copy

      CREATE IDENTITY PROVIDER <idp_name> TYPE azure
      NAMESPACE '<namespace_name>'
      PARAMETERS '{
      "issuer":"<Microsoft_Azure_issuer_value>",
      "audience":["<Microsoft_Azure_token_audience_value>"],
      "client_id":"<Microsoft_Azure_clientid_value>",
      "client_secret":"<Microsoft_Azure_client_secret_value>"
      }';

      For example, the following code uses a v1.0 access token:

      Copy

      CREATE IDENTITY PROVIDER test_idp TYPE 
      azure NAMESPACE 'oauth_aad' 
      PARAMETERS '{
      "issuer":https://sts.windows.net/87f4aa26-78b7-410e-bf29-57b39929ef9a/, 
      "audience":["api://991abc78-78ab-4ad8-a123-zf123ab03612p"],
      "client_id":"123ab555-a321-666d-7890-11a123a44890", 
      "client_secret":"KiG7Q~FEDnE.VsWS1IIl7LV1R2BtA4qVv2ixB"
      }';

      The following code uses a v2.0 access token:

      Copy

      CREATE IDENTITY PROVIDER test_idp TYPE 
      azure NAMESPACE 'oauth_aad' 
      PARAMETERS '{
      "issuer":
      https://login.microsoftonline.com/87f4aa26-78b7-410e-bf29-57b39929ef9a/v2.0,
      "audience":["991abc78-78ab-4ad8-a123-zf123ab03612p"], 
      "client_id":"123ab555-a321-666d-7890-11a123a44890", 
      "client_secret":"KiG7Q~FEDnE.VsWS1IIl7LV1R2BtA4qVv2ixB" 
      }';

   3. Follow Set up Amazon Redshift Permissions to External Identities in Integrate Amazon Redshift Native Idp Federation with Microsoft Azure AD Using a SQL Client to grant user permissions.

MicroStrategy Configuration

Create a Data Source Using OIDC Single Sign-On Authentication Mode

1. Open the Workstation window.

2. Connect to an environment.

3. In the Navigation pane, click ,next to Data Sources.

4. Search and choose Amazon Redshift from the data source list.

5. In the Default Database Connection drop-down list , click Add New Database Connection.

6. Type a Name.

7. In the Driver drop-down list, choose the Redshift Native JDBC driver (com.amazon.redshift.Driver).

   

8. Type a Server Name, Port Number, and Database.

9. In the Authentication Mode drop-down in the Basic tab, choose OIDC Single Sign-On.

10. In the Authentication Service drop-down list, choose an authentication service or click Add New Authentication Service.

    For more information, see Manage OAuth Enterprise Security with Identity and Access Management (IAM) Objects.

11. In Scope, enter your scope using the following template: openid <API scope noted in step 1 of Integrate Redshift Native IdP Federation with Microsoft Entra ID>.

12. Click Save.

13. In the Add Data Source dialog, enter a Name and optionally choose Projects for further data manipulation.

14. Click Save.

Create and Map Users to Entra ID

1. Open the Workstation window.

2. Connect to an environment.

3. In the Navigation pane, click Users and Groups.

4. Click next to All Users.

   

5. Type a Full Name, Email Address, Username, and other optional fields.

6. In the left pane, click Privileges and select the checkbox next to the following privileges:

   • Access data from Databases, Google BigQuery, Big Data, OLAP, BI tools

   • Create and edit database instances and connections

   • Create and edit database logins

   • Create configuration objects

   • Create dataset in Workstation

   • Configure project data source

   • Monitor Database Connections

   • Use Workstation

7. In the left pane, click Authentication.

8. In Trusted Authentication Request User ID, type the Microsoft Entra ID user's email address.

   

9. Click Save.

Configure OIDC

For more information, see Enable OIDC Authentication for MicroStrategy Library.

1. Open Workstation and connect to your environment using standard authentication and administrator credentials.

2. Right-click the connect environment and choose Configure OIDC under Configure Enterprise Security.

3. In step 2, choose Azure from the drop-down list.

4. Copy the MicroStrategy Library URI and Workstation URI into the mobile and desktop application's sign-in redirect URIs in the Client App you created created in Entra ID above.

   

5. In the Microsoft Entra ID left pane, click Manifest under Manage.

6. Click the AAD Graph App Manifest tab and click Download.

   

7. In MicroStrategy Workstation, upload the manifest file in MicroStrategy Configuration.

8. Click Save.

9. Restart the web server.

Single Sign-On with OIDC

1. Open the Workstation window.

2. Connect to an environment.

3. Right-click the environment and choose Environment under Edit.

4. Select Default OIDC and click Continue.

5. A browser displays. Log in using your Microsoft Entra ID credentials.

6. Use a MicroStrategy Administrator account to assign privileges to the new user.

   You do not need to perform this step if you mapped a MicroStrategy user to an Entra ID account and granted privileges.

7. In the Navigation pane, click ,next to Datasets.

8. Choose a Project and select Data Import Cube.

   

9. Click OK.

10. Choose the data source you created.

    The namespaces and tables display.