Re: [D] How to enable sso login in Superset 5.0.0? [superset]

[via GitHub]

GitHub user dosubot[bot] added a comment to the discussion: How to enable sso 
login in Superset 5.0.0?

<!-- Answer -->
Here's a working example for enabling Microsoft Azure SSO in Superset 5.0.0. 
Add this to your superset_config.py (or split out the custom security manager 
if you prefer):

```python
import os
import logging
from flask_appbuilder.security.manager import AUTH_OAUTH
from superset.security import SupersetSecurityManager

AUTH_TYPE = AUTH_OAUTH
AUTH_USER_REGISTRATION = True
AUTH_USER_REGISTRATION_ROLE = "Public"

OAUTH_PROVIDERS = [{
    "name": "azure",
    "icon": "fa-windows",
    "token_key": "access_token",
    "remote_app": {
        "client_id": os.environ.get("CLIENT_ID"),  # Set via env or secret
        "client_secret": os.environ.get("CLIENT_SECRET"),  # Set via env or 
secret
        "api_base_url": 
"https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/",
        "access_token_url": 
"https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token",
        "authorize_url": 
"https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/authorize",
        "client_kwargs": {
            "scope": "openid email profile User.Read GroupMember.Read.All upn"
        }
    }
}]

# Optional: Map Azure AD group IDs to Superset roles
AUTH_ROLES_MAPPING = {
    "Azure-Group-Object-ID-1": ["Admin"],
    "Azure-Group-Object-ID-2": ["Gamma"],
    # Add more as needed
}

AUTH_ROLES_SYNC_AT_LOGIN = True
ENABLE_PROXY_FIX = True  # Important if behind a proxy/load balancer

# Optional: Custom security manager for advanced role mapping or user info 
extraction
class CustomSsoSecurityManager(SupersetSecurityManager):
    def oauth_user_info(self, provider, response=None):
        if provider == "azure":
            me = 
self.appbuilder.sm.oauth_remotes[provider].get("https://graph.microsoft.com/v1.0/me";).json()
            groups = me.get("groups", [])
            group_role_map = {
                "Azure-Group-Object-ID-1": "Admin",
                "Azure-Group-Object-ID-2": "Gamma",
            }
            user_roles = [group_role_map[g] for g in groups if g in 
group_role_map]
            return {
                "username": me.get("userPrincipalName"),
                "first_name": me.get("givenName", ""),
                "last_name": me.get("surname", ""),
                "email": me.get("mail"),
                "role_keys": user_roles,
            }
        return super().oauth_user_info(provider, response)

CUSTOM_SECURITY_MANAGER = CustomSsoSecurityManager
```

Replace `<tenant_id>` with your Azure AD tenant ID. Set `CLIENT_ID` and 
`CLIENT_SECRET` as environment variables or via your deployment secrets. The 
scopes must include `upn` and group claims for role mapping to work. If you 
want to map Azure AD groups to Superset roles, either use `AUTH_ROLES_MAPPING` 
or implement it in the `oauth_user_info` method as shown above. Make sure your 
Azure app registration is configured to return group claims in the token.

If you deploy with Helm or Docker, manage secrets via Kubernetes Secrets and 
reference them in your deployment config. After setup, run `superset db 
upgrade` and `superset init` to update the schema and permissions.

For more details and troubleshooting, see [this 
example](https://github.com/apache/superset/discussions/32622) and [this 
discussion](https://github.com/apache/superset/issues/32612).


<!-- Dosu Comment Footer -->
*To reply, just mention [@dosu](https://go.dosu.dev/dosubot).*

---
<sup>How did I do? 
[Good](https://app.dosu.dev/response-feedback/c1f22a5d-37c7-41f4-b9c7-c225e616746e?feedback_type=great_response)
 | 
[Irrelevant](https://app.dosu.dev/response-feedback/c1f22a5d-37c7-41f4-b9c7-c225e616746e?feedback_type=irrelevant_answer)
 | 
[Incorrect](https://app.dosu.dev/response-feedback/c1f22a5d-37c7-41f4-b9c7-c225e616746e?feedback_type=incorrect_sources)
 | 
[Verbose](https://app.dosu.dev/response-feedback/c1f22a5d-37c7-41f4-b9c7-c225e616746e?feedback_type=too_verbose)
 | 
[Hallucination](https://app.dosu.dev/response-feedback/c1f22a5d-37c7-41f4-b9c7-c225e616746e?feedback_type=hallucination)
 | [Report 
🐛](https://app.dosu.dev/response-feedback/c1f22a5d-37c7-41f4-b9c7-c225e616746e?feedback_type=bug_report)
 | 
[Other](https://app.dosu.dev/response-feedback/c1f22a5d-37c7-41f4-b9c7-c225e616746e?feedback_type=other)</sup>&nbsp;&nbsp;[![Chat
 with 
Dosu](https://dosu.dev/dosu-chat-badge.svg)](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github)&
 nbsp;[![Join 
Discord](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.dev/discord-bot)&nbsp;[![Share
 on 
X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/34542)

GitHub link: 
https://github.com/apache/superset/discussions/34542#discussioncomment-14001228

----
This is an automatically sent email for notifications@superset.apache.org.
To unsubscribe, please send an email to: 
notifications-unsubscr...@superset.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org
For additional commands, e-mail: notifications-h...@superset.apache.org