Microsoft Entra SSO

Learn how to enable Microsoft Entra SSO in your TileDB workspace.

The goal of this guide is to help customers enable Microsoft Entra SSO for their clusters.

Warning

The procedures outlined in this doc depend on Microsoft Azure and its components. Microsoft Azure is subject to change at any time. Thus, you may need to take additional steps not highlighted in this doc to successfully set up Entra SSO with TileDB.

Prerequisites

To enable Entra SSO, you must complete the following:

  • Have a TileDB self-hosted cluster.
  • Have access to the Azure Portal.
  • Configure Microsoft Entra for each user. Each user must have an email address associated with their account, set in the Email field, with your organization’s Primary domain in Azure.
  • Have access to the original YAML file used to deploy the cluster.
  • Have knowledge and access to Helm.
  • Have knowledge and access to a terminal.

Process

The process for configuring Entra SSO with TileDB involves the following high-level steps:

  1. Create a new app registration in Azure.
  2. Get the issuer URL.
  3. Add a client secret.
  4. Add a claim.
  5. Upgrade your TileDB cluster.
  6. Test your configuration.

Create a new app registration in Azure

  1. Log in to your Azure Portal.
  2. Open Microsoft Entra ID.
  3. From the Overview window, take note of the Primary domain (which this tutorial references as <SSO_DOMAIN>).
  4. Under the Manage menu, select App registrations.
  5. Select + New registration.
  6. Enter a Name for the registration.
  7. Select the appropriate Supported account types.
  8. Enter a Redirect URI. The Redirect URI is of the form <scheme>://<uri>/auth/sso/callback/perdomain, where <scheme> is the scheme you use for your site (http or https), and <uri> is the console URI you use to log in to TileDB (which you can find in your values.yaml file under tiledb-cloud-ui.ingress.url[0]).
  9. Select Register.

Get the issuer URL

  1. On the App registrations page, make note of the Application (client) ID, referenced as <SSO_CLIENT_ID>.
  2. On the App registrations page, select Endpoints.
  3. Find the OpenID Connect metadata document field, and copy the URL. Paste the URL in a new tab or window in your browser.
  4. Find and copy the issuer details, referred to as <SSO_OIDC_ISSUER_URL>.

Add a client secret

  1. On the App registrations page, select Certificates & secrets.
  2. In the Azure Portal, open the Registered app page.
  3. In the Azure Portal, open the application you created, and navigate to Manage > Certificates & secrets.
  4. From the Client secrets tab, select + New client secret. Set a description to help others identify this secret and an expiration date.
  5. Select Add to create the secret.
  6. In the Value column, select the Copy to clipboard button to copy the client secret. Copy the Value (referenced as <SSO_CLIENT_SECRET>). Note: The Value will only display once and disappear after navigating away from the current page.

Add a claim

  1. Navigate to Manage > Token configuration.
  2. Add the following optional claims:
    • email: The addressable email for this user, if the user has one. Note: The email claim is mandatory to exist for SSO to work with TileDB.
    • preferred_username: The preferred username claim, so apps can give username hints and show human readable display names.

Upgrade your TileDB cluster

  1. Update your values.yaml file with the following information, creating any missing keys if necessary:

    tiledb-cloud-rest:
  restConfig:
    SSO:
      OIDC:
        - Domain: <SSO_DOMAIN>
          OIDCIssuer: <SSO_OIDC_ISSUER_URL>
          OIDCClientID: <SSO_CLIENT_ID>
          OIDCClientSecret: <SSO_CLIENT_SECRET>

  2. Run an upgrade on your cluster, swapping your initial helm install command with helm upgrade (or helm upgrade --install if you prefer) and submitting your new values file configurations. For example:

    helm upgrade --install \
 --namespace tiledb-cloud \
 --values values.yaml \
 tiledb-cloud \
 tiledb/tiledb-cloud-enterprise

Test the configuration

  1. Open the TileDB console, and select Company SSO.
  2. Enter your email address in the Corporate email field, and select Continue with single sign-on. If everything is configured correctly, your browser should bring you to the Microsoft login, where you’ll sign in with your Microsoft credentials.
  3. After signing in, you should be redirected back to the TileDB console, where you’ll be logged in.