Data Source Authentication Modes

As you move data over to the cloud, previously used single-sign on methods (e.g. kerberos) will not work. MicroStrategy allows you to configure oAuth and oAuth On-Behalf-Of authentication modes when you define connections for data sources in Workstation. These modes provide Administrators the ability to determine the identity provider (IDP) that will conduct authentication and access authorization to the underlying data source using the oAuth protocol. Although both methods use the same high level protocols, both methods are supported differently in the platform and are intended for different workflows.

oAuth

When a data source connection's authentication mode is set to oAuth, you use the oAuth flow. MicroStrategy redirects you to set the IDP in the browser to authenticate before MicroStrategy connects to the data source. This interactive oAuth workflow is only supported in self-service scenarios, where you manually access data sources independently. Access to these data sources may require different identity providers in one configuration, depending on your business.

If a browser session already exists with an IDP, you do not need to manually input credentials.

When you successfully log in, MicroStrategy caches refresh tokens so that MicroStrategy is able to establish connections offline to perform jobs such as subscriptions.

oAuth On-Behalf-Of

This authentication mode does not require you to use the interactive oAuth flow. MicroStrategy will request access to the underlying source on your behalf, assuming you have previously logged in to MicroStrategy using OIDC. This authentication mode leverages Identity tokens and other data from the IDP when you log in to MicroStrategy. Identity tokens and other data from the IDP allows MicroStrategy to access the data source automatically to perform tasks such as running reports. This authentication mode requires Administrators to set up OIDC authentication for the MicroStrategy platform and works with the project schema and data import flows. You will not see any change in your experience when using oAuth On-Behalf-Of. You can run reports and dashboards and the data source connection will be established with it's own identity.

When you successfully log in, MicroStrategy caches refresh tokens so that MicroStrategy is able to establish connections offline to perform jobs such as subscriptions.

MicroStrategy's identity providers and oAuth/OIDC support evolves over time. Refer to the MicroStrategy Gateways documentation for more information on gateways and identity providers.