Strategy One

Integrate Strategy with Microsoft Entra ID SAML Single Sign-On

Prerequisites

  1. Create and configure the SAML application in Entra ID using Integrating SAML Support with Microsoft Entra ID (Formerly Azure AD).

  2. Enable SAML login for Strategy Library using Enable Single Sign-On with SAML Authentication.

  3. Complete the steps in Configure OAuth Parameters with Microsoft Entra ID in Configure OAuth Parameters: Authorization Code Workflow and choose Authorization Code flow.

Create a Data Source Using Single Sign-On Authentication Mode

  1. Open the Workstation window.

  2. Connect to an environment.

  3. Create an Enterprise Security Object. For more information, see Manage OAuth Enterprise Security with Identity and Access Management (IAM) Objects.

    All required information should be collected in the Configure OAuth Parameters with Microsoft Entra ID section of Configure OAuth Parameters: Authorization Code Workflow.

  4. In the Navigation pane, click next to Data Sources.

  5. Search for and choose Snowflake from the data source list.

  6. In the Default Database Connection drop-down list, click Add New Database Connection.

  7. Type a Name for the new database connection.

  8. In the Driver drop-down list, choose the Snowflake ODBC or JDBC driver.

  9. In Connection Method, ensure Standard is selected.

  10. Click the Basic tab.

  11. Type a Server Name.

  12. Optionally type a Warehouse, Database, Schema, and Role.

  13. In the Authentication Mode drop-down list, choose OIDC Single Sign-On.

  14. In the Authentication Service drop-down list, choose an authentication service or click Add New Authentication Service.

    For more information, see Manage OAuth Enterprise Security with Identity and Access Management (IAM) Objects.

  15. In Scope, enter the same values you defined in your Enterprise Security Object.

  16. Click Save.

  17. Type a Name and select Projects for the data source.

  18. Click Save.

Create and Map Users to Entra ID

  1. Open the Workstation window.

  2. Connect to an environment.

  3. In the Navigation pane, click User and Groups.

  4. Click next to All Users.

  5. In Account and Credentials, enter a Full Name, Email Address, Username, and Password, if required.

  6. In the left pane, click Privileges and add the following privileges:

    • Access data from Databases, Google BigQuery, BigData, OLAP, BI tools

    • Create and edit database instances and connections

    • Create and edit database logins

    • Create configuration objects

    • Create dataset in Workstation

    • Configure project data source

    • Monitor Database Connections

    • Use Workstation

  7. In the left pane, click Authentication.

  8. In Trusted Authenticated Request User ID, type the user's email address.

  9. Click Save.

Configure SAML Single Sign-On to Snowflake

  1. Ensure prerequisites 1 and 2 of this topic are complete.

  2. In the Snowflake application you created in prerequisite 2, in the Navigation pane, click Authentication under Manage and ensure the ID tokens (used for implicit and hybrid flows) check box is selected under Implicit grant and hybrid flows.

  3. Open the following file to edit: MicroStrategyLibrary Root]\WEB-INF\classes\auth\SAML\custom\SAML2OAuth.xml

  4. Comment out the following section:

    Copy 
    <!-- Beans to add an additional step to fetch idToken after SAML login --> 

      

        <bean id="oAuthTokenProvider" class="com.microstrategy.auth.saml.implicitoauth.MicrosoftAzureAD"> 

            <property name="authorizationEndpoint" value=""/> 

            <property name="clientID" value=""/> 

            <property name="redirectUri" value=""/> 

            <property name="responseType" value="id_token"/> 

            <property name="scope"> 

                <list> 

                    <value>openid</value> 

                    <value>email</value> 

                    <value>profile</value> 

                    <value>offline_access</value> 

                </list> 

            </property> 

        </bean> 

  5. Copy the authorizationEndpoint, clientID, and redirectUri fields and paste them in the SAML2OAuth.xml file:

    • For authorizationEndpoint, go to your Snowflake app in Entra ID, in Overview, click Endpoints, and copy the Oauth 2.0 authorization endpoints (v2) value.

    • For clientID, go to your Snowflake app in Entra ID, in Overview, copy the Application (client) ID value.

    • For redirectUri, go to your Snowflake app in Entra ID, click Authentication in the left navigation pane, and copy the Redirect URI.

      If no Redirect URI is available, manually add the following URI to your app: https://[Strategy-Library-Hostname]/MicroStrategyLibrary/auth/SAMLOAuthRedirect.jsp

  6. Restart the Web server.

Single Sign-On with SAML

  1. Open the Workstation window.

  2. Connect to an environment.

  3. Right-click the environment and click Edit Environment Information.

  4. In Authentication Mode, select SAML and click Continue.

  5. Log in to your Entra ID account in the browser dialog.

  6. Use an Administrator account to grant privileges to the new user.

    You can ignore this step if you have mapped the user to your Entra ID account and already granted privileges.

  7. In the Navigation pane, click next to Datasets.

  8. In the Project drop-down list, choose a project.

  9. Select Data Import Cube and click OK.

  10. Choose the data source you created in Create a Data Source using Single Sign-On as Authentication Mode.

    The namespaces and tables display.