Strategy ONE

Set Up Single Sign-On for Power BI

Strategy One (September 2025) adds support for single sign-on (SSO) in Power BI. Before you use SSO, you must enable it in your Mosaic Studio environment. See the following steps to enable SSO.

Prerequisite

Remove the Token Based Feature Flag

You only need to remove the token based feature flag if you are using a version prior to Strategy One (September 2025).

If you are using a Strategy version prior to Strategy One (September 2025) using token based authentication and want to use SSO instead, use the following steps to remove the token based feature flag:

  1. Modify the configOverride.properties file that can be found in a similar path to the following: /usr/local/tomcat/webapps/0/WEB-INF/classes/config.

  2. Remove the following line: features.usl.universalAccess.powerBI.SSO=true

  3. Restart the Library server.

Set Up the Universal Semantic Layer Service Account in Active Directory

Work with your IT administrator to create a service account for your Mosaic environment and generate a key tab.

  • Create a user account in Active Directory that will serve as a service account for Mosaic.

  • Enable AES128 and AES256 Encryption for the service account.

  • Add service principal names to the service account for both the environment URL and the external load balancer URL using the following format:

    • HTTP/<Environment URL>, HTTP/<External Load Balancer URL>

    • For example, HTTP/abc.company.com@COMPANY.COM, HTTP/xxxxx.us-east-1.elb.amazongaws.com@COMPANY.COM

  • Generate the keytab file using a tool such as ktpass.exe from Microsoft.

Generate Keytab

universal-semantic:/etc/trino/abc.company.keytab

Use the following format:

Copy 
ktpass -princ HTTP/abc.company.com@COMPANY.COM -mapuser mosaic-svc@company.com -pass plain_text_pwd -ptype KRB5_NT_PRINCIPAL -out abc.company.keytab -kvno {keyVersionNumber} -crypto All

Configuration Update Files

The following files require configuration changes. See the sections below for details on the updates.

Instance Based Configuration Files Path

  • <MSTR_INSTALL_PATH>/UniversalSemantic/etc/krb5.conf

  • <MSTR_INSTALL_PATH>/UniversalSemantic/etc/usermapping.json

  • <MSTR_INSTALL_PATH>/UniversalSemantic/etc/config.properties

Container Based Configuration Files Path

  • /etc/trino/krb5.conf

  • /etc/trino/usermapping.json

  • /etc/trino/config.properties

universal-semantic:/etc/trino/krb5.conf

A sample krb5.conf is included with the installation:

Copy 
# Kerberos configuration file for
# Set the default_realm for your environment.
[libdefaults]
default_realm = EXAMPLE.COM

Set the default_realm for your environment and save the file:

Copy 
# Kerberos configuration file
# Set the default_realm for your environment.
[libdefaults]
default_realm = COMPANY.COM

universal-semantic:/etc/trino/config.properties

The configuration properties required for Kerberos are commented out by default. These properties have to be uncommented and modified for your environment. The required properties with sample values are shown below for guidance.

For containers, administrators should copy the properties from etc/trino/krb5.properties.example and modify, as needed.

Copy 
http-server.authentication.type=HEADER, KERBEROS
http-server.authentication.krb5.service-name=HTTP
http.authentication.krb5.config=etc/krb5.conf
http-server.authentication.krb5.principal-hostname=abc.company.com
http-server.authentication.krb5.keytab=etc/abc.company.keytab
http-server.authentication.krb5.user-mapping.file=etc/user-mapping.json

header-authenticator.config-files=etc/jwt-authenticator.properties, etc/oauth2-authenticator.properties, etc/ldap-authenticator.properties, etc/basic-authenticator.properties

universal-semantic:/etc/trino/user-mapping.json

In the following example, the realm name shows company.com. Update the realm name with the name from your IT admin.

Copy 
{
    "rules": [
        {
            "pattern": "(?<user>.+)@(?<realm>.+)",
            "user": "${user}@company.com"
        },
        {
            "pattern": "(?<realm>.+)\\(?(?<user>.+)\\)?",
            "user": "${user}@company.com"
        }
    ]
}

Restart the Universal Semantic Layer service after making changes.

Library Configuration

  1. Open the configOverride.properties file located in the following path: /usr/local/tomcat/webapps/0/WEB-INF/classes/config/configOverride.properties.

  2. Add authorization mode 67108864 to Library by appending it to the following path:

    Copy 
    auth.modes.available=1,67108864

  3. Open Library Admin control panel. For more information on access the panel, see Library Administration Control Panel.

  4. In the left Navigation pane, click Library Server.

  5. Under Authentication Modes, select the check box next to Trusted.

  6. Expand the Provider drop-down list and choose Custom.

  7. Click Save.

  8. Restart the Library service.

Use SSO for Power BI DAX

After you enable SSO, use it in Power BI. For more information, see Connect to Power BI DAX Using Single Sign-On.