Last Updated: 2024-01-25
Background
This tutorial will guide you through the process of configuring a Starburst Galaxy single sign-on (SSO) using Microsoft Entra ID. To do this, you will be working in both the Azure portal and the Starburst Galaxy Web UI.
After configuring single sign-on, you will test it. You will then have the option to delete the SSO, if necessary.
Identity Providers (IdP)
An Identity Provider (IdP) is a system or service responsible for managing and authenticating the identities of users within a network or system. In the context of identity and access management (IAM), an IdP verifies the identity of individuals and provides authentication services, often in the form of login credentials (such as usernames and passwords) or other authentication methods.
In many scenarios, an IdP is a central component of a single sign-on (SSO) system. When a user attempts to access a protected resource or service, the IdP verifies the user's identity and, if authentication is successful, issues a security token. This token is then used to grant the user access to various applications or services without the need to re-enter credentials for each service.
Starburst Galaxy supports and tests the following three IdPs:
- Okta
- Microsoft Entra ID
- Google Workspace
Starburst Galaxy also supports the use of a Custom IdP, provided it supports the Security Assertion Markup Language (SAML) protocol standard.
Systems for Cross-domain Identity Management (SCIM)
A System for Cross-domain Identity Management (SCIM) is a standard protocol used to automate the exchange of user identity information between identity domains.
You can use SCIM to replicate and sync users and groups from your IdP into Starburst Galaxy. The IdP can also push changes in user and group membership, including deletions, to a Starburst Galaxy account configured to receive that information. This ultimately allows an administrator to assign IdP users and/or groups to access control roles in Starburst Galaxy after they are synced into Starburst Galaxy. The process of assigning roles is a separate task and not part of the SSO or SCIM configuration.
Starburst Galaxy supports and tests System for Cross-domain Identity Management (SCIM) with the following two IdPs:
- Okta
- Microsoft Entra ID
Prerequisites
- You need a Starburst Galaxy account to complete this tutorial. Please see Starburst Galaxy: Getting started for instructions on setting up a free account.
- This tutorial requires a Microsoft Azure account. Before proceeding with this tutorial, you must already have an Azure account set up.
Learning outcomes
Upon successful completion of this tutorial, you will be able to:
- Configure SSO to Starburst Galaxy with Microsoft Entra ID
- Provision SCIM in Starburst Galaxy
About Starburst tutorials
Starburst tutorials are designed to get you up and running quickly by providing bite-sized, hands-on educational resources. Each tutorial explores a single feature or topic through a series of guided, step-by-step instructions.
As you navigate through the tutorial you should follow along using your own Starburst Galaxy account. This will help consolidate the learning process by mixing theory and practice.
Background
Microsoft Entra ID is a cloud-based solution used for identity and access management. It operates as a directory and identity management system, providing authentication and authorization services across a range of Microsoft platforms, including Microsoft Azure.
In this first part of the tutorial, you will begin by configuring Starburst Galaxy to enable a Single Sign-on (SSO) using Microsoft Entra ID.
Step 1: Sign into Starburst Galaxy
Sign into Starburst Galaxy in the usual way. If you have not already set up an account, you can do that here.
Step 2: Use Access control menu to configure new SSO
Now it's time to begin configuring a new single sign-on. SSO is considered a form of access control and management of new SSO configurations is handled through the Access control menu.
- In the left-hand navigation menu, expand the Access control.
- Select Single sign-on.
- Click the Configure single sign-on button.
Step 3: Select your identity provider
Next, it's time to select an Identity provider. You will choose Azure AD as the identity provider.
- Select Azure AD.
- Make note of the three fields and their copy buttons highlighted in the image below. They will allow you to copy information between Starburst Galaxy and the Azure portal.
- Open a new tab in your browser.
Note: Do not close the Starburst Galaxy web UI. You will need both tabs open to continue with this tutorial.
Step 4: Open Microsoft Entra ID in Azure portal
Now it's time to open the Azure portal. You're going to copy information between Starburst Galaxy and Azure to configure the SSO.
- In your new browser tab, sign in to the Azure Portal.
- In the Azure Portal, search for Microsoft Entra ID.
- Select Microsoft Entra ID.
Step 5: Create a new Enterprise application
An Enterprise application is the application identifier used within your Microsoft Entra ID. An application identifier is assigned to an application when it is registered in Azure Active Directory (Azure AD).
Enterprise applications are similar to SAML, which Starburst Galaxy uses.
You are going to create a new Enterprise application to connect Microsoft Entra ID to Starburst Galaxy.
- In the left-hand navigation bar, select Enterprise applications.
- Click the + New application button.
- Click the + Create your own application button.
Step 6: Provide a name for your application
Your new application needs a name. This should be meaningful and describe the Enterprise application you are creating, specifically Starburst Galaxy and SSO.
- Enter a meaningful name for your application. For example
your-name-galaxy-sso. - Select Integrate any other application you don't find in the gallery (Non-gallery).
- Click the Create button.
Step 7: Assign users and groups to your application
Now it's time to assign users and groups to the new Enterprise application. This will help restrict access by role and works in a similar way to Starburst Galaxy's own role-based access control (RBAC).
- Select the Assign users and groups tile.
- Select + Add user/group.
- In the Users and groups field, click None Selected.
Step 8: Choose the users and groups you want to add
If you add a group to your cluster, everyone in that group will get an email informing them that they can sign in and set their password after you configure SCIM.
In a real-world production environment this may be desirable, but for the purposes of this tutorial it is not necessary.
- If you are using the Starburst Pay-As-You-Go subscription, enter your name in the filter box (ex.
firstname-lastname). - Click on your account(s) to add to the list, and repeat for any other users you would like to add to your Starburst Galaxy subscription.
- If you are using your personal Azure account, select any appropriate user(s) or group(s).
- Click the Select button.
- Click the Assign button.
Step 9: Configure single sign-on
Now that you've set up your Enterprise group and configured its roles, it's time to begin configuring SSO.
- In the left-hand menu, select Overview.
- In the get Get started section, select the Set up single sign-on tile.
Step 10: Select the single sign-on method
Azure allows for several methods of SSO. For this tutorial, you're going to use SAML.
- Click the SAML tile.
Step 11: Edit the basic SAML configuration
Azure creates a basic, template SAML configuration. This is a great start but you'll need to edit this template to include your specific SAML configuration.
- In the Basic SAML Configuration tile, click the ellipses.
- Click the Edit button.
Step 12: Add Identifier (Entity ID) to Azure
Now it's time to add the Identifier (Entity ID) from Starburst Galaxy into the Azure portal.
This will be the first piece of information that you copy from Starburst Galaxy, so make sure that you still have both tabs open.
- In the Identifier (Entity ID) section, select Add identifier.
- In the Starburst Galaxy Web UI, copy the Identifier (Entity ID).
- Paste the Identifier into the Identifier (Entity ID) field in the Azure portal.
Step 13: Add Reply URL (Assertion Consumer Service URL)
Now it's time to add the second piece of information from Starburst Galaxy to the Azure portal, the Reply URL (Assertion Consumer Service URL).
Again, ensure that you have both tabs open.
- In the Reply URL (Assertion Consumer Service URL) section of the Azure portal, click Add reply URL.
- In the Starburst Galaxy Web UI, copy the Reply URL (Assertion Consumer Service URL).
- Paste the Reply URL (Assertion Consumer Service URL) into the corresponding Azure portal field.
Step 14: Add the Relay State
Now for the final piece of information, the Relay State. This will help redirect users after authentication is complete.
Just like last time, you're going to copy this information from the Starburst Galaxy UI into the Azure portal.
- In the Starburst Galaxy Web UI, copy Relay State.
- Paste the Relay State into the Relay State (Optional) field in the Azure portal.
Step 15: Save the edits to the SAML configuration
You're all done. Now it's time to save your work so that you can start testing it.
- Scroll to the top of the Azure portal screen and click the Save button.
- Click the X button to exit from the edit panel.
- Click the No, I'll test later button. You aren't quite ready to test yet.
Step 16: Copy information from the Azure portal
Next, you'll need to copy some information from the Azure portal to the Starburst Galaxy Web UI. This will complete the process of linking the two systems.
To do this, you're going to use a Metadata URL.
- In the Azure portal, scroll down to the SAML Certificates section of your Enterprise Application in the Azure portal.
- Copy the App Federation Metadata Url.
Step 17: Paste information into Starburst Galaxy
Now it's time to paste the Azure Metadata URL into Starburst Galaxy.
- In the Starburst Galaxy Web UI, scroll down to the Configure Starburst Galaxy section.
- Select Metadata URL.
- Paste the App Federation Metadata Url into Starburst Galaxy.
- Click the Test configuration button.
- Confirm you see Hooray! We have successfully validated the configuration.
- Click the Configure single sign-on button.
- Click the Yes, setup SCIM button.
- Then move to the next lesson where you will be shown how to configure SCIM.
Background
After configuring a single sign-on in Starburst Galaxy, you should automatically be taken to the Provision SCIM page.
This is the next step in the process, and this tutorial will guide you through this stage. Just like last time, you'll want to keep two tabs open - one for Starburst Galaxy and the other for the Azure portal.
Step 1: Generate access token
To get started, you'll need to generate an access token.
Later in this tutorial, you'll copy this Starburst Galaxy access token into the Azure Portal.
- Click the Generate access token button.
Note: Do not click Finish or refresh the browser tab. If you do, you will lose this token and need to start again.
Step 2: Select Azure Provisioning for Enterprise Application
Now it's time to switch over to the Azure portal. You're going to use the same Enterprise Application that you set up earlier in the tutorial, but this time, you're going to add additional information to the Provisioning section. This will allow SCIM to be set up.
- Sign in to Azure portal.
- Select your Enterprise Application.
- In the left-hand navigation menu, select Provisioning.
- Click the Get started button.
Step 3: Configure provisioning details between Azure and Starburst Galaxy
Now it's time to set up the SCIM access between Azure and Starburst Galaxy.
To do this, you'll need to switch between the Azure portal and Starburst Galaxy, so make sure you have both tabs open.
- In the Azure portal, in the Provisioning Mode menu, select Automatic.
- In the Starburst Galaxy Web UI, copy the Starburst Galaxy SCIM URL, and paste it into the Tenant URL field in the Azure portal.
- From the Starburst Galaxy Web UI, copy the Starburst Galaxy access token, and paste it into the Secret Token field in the Azure portal.
- In the Azure portal, click the Test Connection button.
- Confirm that you see the message "The supplied credentials are authorized to enable provisioning."
Step 4: Save and Finish in Azure and Starburst Galaxy
Finally, you need to save your work before you can begin testing.
- Click the Save button in the Azure portal.
- Click the X to exit the Provisioning pane.
- Click the Finish button in Starburst Galaxy.
Step 5: Start provisioning in Azure portal
You're all set up and ready to go. It's time to start provisioning using SCIM. The process for this is very simple.
- In the Azure portal, click Start provisioning.
Step 6: View the new Azure users under Access control in Starburst Galaxy
Now that you're provisioning, it's time to flip back over to Starburst Galaxy and see what's happening there.
You can view all the new Azure users provisioned using SCIM in the Access control section of the navigation menu.
- In Starburst Galaxy, expand the Access control menu.
- Select Users.
- Notice that the Azure Users you assigned to the Starburst Galaxy App Integration are now listed.
- Scroll down in the user list, and click the ellipsis on the right of your Microsoft Entra ID login.
- Notice that the options for Change owner and Delete user are no longer available. This is because this user is now managed externally by your organization's identity provider.
Step 7: View provisioning details in the Azure portal
Now let's jump back into the Azure portal to view the provisioning details in more depth.
- In the Azure Portal, expand the View provisioning details menu.
- Notice that the default Provisioning interval is fixed at 40 minutes.
Step 8: Test your SSO in the Azure portal
Let's run a test in the Azure portal to see how your SSO works after the changes you just made.
- In the Azure portal, return to the Single sign-on section of your Enterprise Application.
- Click the Test button.
- Click the Test sign in button.
- You have now been redirected to your Starburst Galaxy account.
Step 9: Complete the sign in test
The test you just ran in the Azure portal should have automatically opened a new window and logged you into the Starburst Galaxy Web UI.
Note that your original Starburst Galaxy session is still running as well. You can exit from this new session now that you have completed testing.
- In the upper-right, expand the account menu.
- Select Log out.
Step 10: Sign out of Azure and Starburst Galaxy
Now it's time to complete one final test to log in to Starburst Galaxy using single sign-on.
To do this, you are going to sign out of both Azure and your other Starburst Galaxy session and go through the process from the very beginning.
- In your Azure Portal, click on your profile icon in the upper right.
- Click Sign out.
- Back in the Starburst Galaxy Web UI, click the Account menu in the upper right.
- Select Log out.
Step 11: Test single sign in with Azure
Now that you know you're logged out of both accounts, you're ready to test the single sign-on from the beginning.
- Click the Sign back in button for Starburst Galaxy.
Step 12: Choose sign in with Azure
Now you're going to sign in with Azure instead of signing in with your username and password. This will redirect you to the Azure login page.
- Click the Sign in with Azure button.
Step 13: Select Azure account and enter password
So far, so good. Next, it's time to select the Azure account and enter your Azure password.
- Enter your Azure user and enter your password.
Step 14: Confirm Starburst Galaxy sign in
And just like that, you're done!
You've successfully signed in to your Starburst Galaxy account using your Azure account and password with SSO.
- Confirm that you have signed into the Starburst Galaxy Web UI.
If you would like to delete the SSO provider at any time, you may use these instructions.
Please consider the following before you delete your SSO provider.
- The user disabling SSO must have accountadmin privileges.
- The user disabling SSO should not be signed in via SSO at the time of deletion.
- The Starburst Galaxy cluster must have a non-SSO account configured, and you must know the login credentials for it.
- The user disabling SSO must be able to sign in to Starburst Galaxy with a non-SSO account and password and must be logged in with that account when deleting an SSO configuration.
- When you delete the SSO provider, any groups assigned to roles will be removed.
- All SSO users that do not have a direct Starburst Galaxy login account, along with their role assignments will also be deleted.
Step 1: Delete the SSO provider
It's time to delete your SSO provider. To do this, you're going to sign in with Starburst Galaxy using a local account.
Note: Do not use the Sign in with Azure button.
- Sign in to Starburst Galaxy.
- Expand the Access control menu.
- Select Single sign-on.
- Click Delete single sign-on.
Step 2: Confirm deletion
Starburst Galaxy asks you to manually confirm the deletion. This prevents unwanted errors.
- Enter DELETE in the confirmation field.
- Click the Yes, delete button.
Tutorial complete
Congratulations! You have reached the end of this tutorial, and the end of this stage of your journey.
Now that you've completed this tutorial, you should have a better understanding of how to configure SSO for Starburst Galaxy with Microsoft Entra ID.
Continuous learning
At Starburst, we believe in continuous learning. This tutorial provides the foundation for further training available on this platform, and you can return to it as many times as you like. Future tutorials will make use of the concepts used here.
Next steps
Starburst has lots of other tutorials to help you get up and running quickly. Each one breaks down an individual problem and guides you to a solution using a step-by-step approach to learning.
Tutorials available
Visit the Tutorials section to view the full list of tutorials and keep moving forward on your journey!
