Last Updated: 2024-01-25

Background

This tutorial will guide you through the process of configuring a Starburst Galaxy single sign-on (SSO) using Microsoft Entra ID. To do this, you will be working in both the Azure portal and the Starburst Galaxy Web UI.

After configuring single sign-on, you will test it. You will then have the option to delete the SSO, if necessary.


Identity Providers (IdP)

An Identity Provider (IdP) is a system or service responsible for managing and authenticating the identities of users within a network or system. In the context of identity and access management (IAM), an IdP verifies the identity of individuals and provides authentication services, often in the form of login credentials (such as usernames and passwords) or other authentication methods.

In many scenarios, an IdP is a central component of a single sign-on (SSO) system. When a user attempts to access a protected resource or service, the IdP verifies the user's identity and, if authentication is successful, issues a security token. This token is then used to grant the user access to various applications or services without the need to re-enter credentials for each service.

Starburst Galaxy supports and tests the following three IdPs:

Starburst Galaxy also supports the use of a Custom IdP, provided it supports the Security Assertion Markup Language (SAML) protocol standard.

Systems for Cross-domain Identity Management (SCIM)

A System for Cross-domain Identity Management (SCIM) is a standard protocol used to automate the exchange of user identity information between identity domains.

You can use SCIM to replicate and sync users and groups from your IdP into Starburst Galaxy. The IdP can also push changes in user and group membership, including deletions, to a Starburst Galaxy account configured to receive that information. This ultimately allows an administrator to assign IdP users and/or groups to access control roles in Starburst Galaxy after they are synced into Starburst Galaxy. The process of assigning roles is a separate task and not part of the SSO or SCIM configuration.

Starburst Galaxy supports and tests System for Cross-domain Identity Management (SCIM) with the following two IdPs:

Prerequisites

Learning outcomes

Upon successful completion of this tutorial, you will be able to:

About Starburst tutorials

Starburst tutorials are designed to get you up and running quickly by providing bite-sized, hands-on educational resources. Each tutorial explores a single feature or topic through a series of guided, step-by-step instructions.

As you navigate through the tutorial you should follow along using your own Starburst Galaxy account. This will help consolidate the learning process by mixing theory and practice.

Background

Microsoft Entra ID is a cloud-based solution used for identity and access management. It operates as a directory and identity management system, providing authentication and authorization services across a range of Microsoft platforms, including Microsoft Azure.

In this first part of the tutorial, you will begin by configuring Starburst Galaxy to enable a Single Sign-on (SSO) using Microsoft Entra ID.

Step 1: Sign into Starburst Galaxy

Sign into Starburst Galaxy in the usual way. If you have not already set up an account, you can do that here.

Step 2: Use Access menu to configure new SSO

Now it's time to begin configuring a new single sign-on. SSO is considered a form of access control and management of new SSO configurations is handled through the Access menu.

Step 3: Select your identity provider

Next, it's time to select an Identity provider. You will choose Microsoft Entra ID as the identity provider.

Note: Do not close the Starburst Galaxy web UI. You will need both tabs open to continue with this tutorial.

Step 4: Open Microsoft Entra ID in Azure portal

Now it's time to open the Azure portal. You're going to copy information between Starburst Galaxy and Azure to configure the SSO.

Step 5: Create a new Enterprise application

An Enterprise application is the application identifier used within your Microsoft Entra ID. An application identifier is assigned to an application when it is registered in Azure Active Directory (Azure AD).

Enterprise applications are similar to SAML, which Starburst Galaxy uses.

You are going to create a new Enterprise application to connect Microsoft Entra ID to Starburst Galaxy.

Step 6: Provide a name for your application

Your new application needs a name. This should be meaningful and describe the Enterprise application you are creating, specifically Starburst Galaxy and SSO.

Step 7: Assign users and groups to your application

Now it's time to assign users and groups to the new Enterprise application. This will help restrict access by role and works in a similar way to Starburst Galaxy's own role-based access control (RBAC).

Step 8: Choose the users and groups you want to add

If you add a group to your cluster, everyone in that group will get an email informing them that they can sign in and set their password after you configure SCIM.

In a real-world production environment this may be desirable, but for the purposes of this tutorial it is not necessary.

Step 9: Configure single sign-on

Now that you've set up your Enterprise group and configured its roles, it's time to begin configuring SSO.

Step 10: Select the single sign-on method

Azure allows for several methods of SSO. For this tutorial, you're going to use SAML.

Step 11: Edit the basic SAML configuration

Azure creates a basic, template SAML configuration. This is a great start but you'll need to edit this template to include your specific SAML configuration.

Step 12: Add Identifier (Entity ID) to Azure

Now it's time to add the Identifier (Entity ID) from Starburst Galaxy into the Azure portal.

This will be the first piece of information that you copy from Starburst Galaxy, so make sure that you still have both tabs open.

Step 13: Add Reply URL (Assertion Consumer Service URL)

Now it's time to add the second piece of information from Starburst Galaxy to the Azure portal, the Reply URL (Assertion Consumer Service URL).

Again, ensure that you have both tabs open.

Step 14: Add the Relay State

Now for the final piece of information, the Relay State. This will help redirect users after authentication is complete.

Just like last time, you're going to copy this information from the Starburst Galaxy UI into the Azure portal.

Step 15: Save the edits to the SAML configuration

You're all done. Now it's time to save your work so that you can start testing it.

Step 16: Copy information from the Azure portal

Next, you'll need to copy some information from the Azure portal to the Starburst Galaxy Web UI. This will complete the process of linking the two systems.

To do this, you're going to use a Metadata URL.

Step 17: Paste information into Starburst Galaxy

Now it's time to paste the Azure Metadata URL into Starburst Galaxy.

Background

After configuring a single sign-on in Starburst Galaxy, you should automatically be taken to the Provision SCIM page.

This is the next step in the process, and this tutorial will guide you through this stage. Just like last time, you'll want to keep two tabs open - one for Starburst Galaxy and the other for the Azure portal.

Step 1: Generate access token

To get started, you'll need to generate an access token.

Later in this tutorial, you'll copy this Starburst Galaxy access token into the Azure Portal.

Note: Do not click Finish or refresh the browser tab. If you do, you will lose this token and need to start again.

Step 2: Select Azure Provisioning for Enterprise Application

Now it's time to switch over to the Azure portal. You're going to use the same Enterprise Application that you set up earlier in the tutorial, but this time, you're going to add additional information to the Provisioning section. This will allow SCIM to be set up.

Step 3: Configure provisioning details between Azure and Starburst Galaxy

Now it's time to set up the SCIM access between Azure and Starburst Galaxy.

To do this, you'll need to switch between the Azure portal and Starburst Galaxy, so make sure you have both tabs open.

Step 4: Save and Finish in Azure and Starburst Galaxy

Finally, you need to save your work before you can begin testing.

Step 5: Start provisioning in Azure portal

You're all set up and ready to go. It's time to start provisioning using SCIM. The process for this is very simple.

Step 6: View the new Azure users under Access control in Starburst Galaxy

Now that you're provisioning, it's time to flip back over to Starburst Galaxy and see what's happening there.

You can view all the new Azure users provisioned using SCIM in the Access control section of the navigation menu.

Step 7: View provisioning details in the Azure portal

Now let's jump back into the Azure portal to view the provisioning details in more depth.

Step 8: Test your SSO in the Azure portal

Let's run a test in the Azure portal to see how your SSO works after the changes you just made.

Step 9: Complete the sign in test

The test you just ran in the Azure portal should have automatically opened a new window and logged you into the Starburst Galaxy Web UI.

Note that your original Starburst Galaxy session is still running as well. You can exit from this new session now that you have completed testing.

Step 10: Sign out of Azure and Starburst Galaxy

Now it's time to complete one final test to log in to Starburst Galaxy using single sign-on.

To do this, you are going to sign out of both Azure and your other Starburst Galaxy session and go through the process from the very beginning.

Step 11: Test single sign in with Azure

Now that you know you're logged out of both accounts, you're ready to test the single sign-on from the beginning.

Step 12: Choose sign in with Azure

Now you're going to sign in with Azure instead of signing in with your username and password. This will redirect you to the Azure login page.

Step 13: Select Azure account and enter password

So far, so good. Next, it's time to select the Azure account and enter your Azure password.

Step 14: Confirm Starburst Galaxy sign in

And just like that, you're done!

You've successfully signed in to your Starburst Galaxy account using your Azure account and password with SSO.

If you would like to delete the SSO provider at any time, you may use these instructions.

Please consider the following before you delete your SSO provider.

Step 1: Delete the SSO provider

It's time to delete your SSO provider. To do this, you're going to sign in with Starburst Galaxy using a local account.

Note: Do not use the Sign in with Azure button.

Step 2: Confirm deletion

Starburst Galaxy asks you to manually confirm the deletion. This prevents unwanted errors.

Tutorial complete

Congratulations! You have reached the end of this tutorial, and the end of this stage of your journey.

Now that you've completed this tutorial, you should have a better understanding of how to configure SSO for Starburst Galaxy with Microsoft Entra ID.

Continuous learning

At Starburst, we believe in continuous learning. This tutorial provides the foundation for further training available on this platform, and you can return to it as many times as you like. Future tutorials will make use of the concepts used here.

Next steps

Starburst has lots of other tutorials to help you get up and running quickly. Each one breaks down an individual problem and guides you to a solution using a step-by-step approach to learning.

Tutorials available

Visit the Tutorials section to view the full list of tutorials and keep moving forward on your journey!

Start Free with
Starburst Galaxy

Up to $500 in usage credits included

  • Query your data lake fast with Starburst's best-in-class MPP SQL query engine
  • Get up and running in less than 5 minutes
  • Easily deploy clusters in AWS, Azure and Google Cloud
For more deployment options:
Download Starburst Enterprise

Please fill in all required fields and ensure you are using a valid email address.