GitHub user dosubot[bot] added a comment to the discussion: How to update user
datas every they login SSO in Superset 5.0.0?
<!-- Answer -->
Here's a working example for Microsoft Azure SSO in Superset 5.0.0, covering
initialization, updating user data on every login, and logout handling:
**1. superset_config.py settings:**
```python
import os
from flask_appbuilder.security.manager import AUTH_OAUTH
from superset.security import SupersetSecurityManager
AUTH_TYPE = AUTH_OAUTH
AUTH_USER_REGISTRATION = False # Users must be pre-created
AUTH_ROLES_SYNC_AT_LOGIN = True
ENABLE_PROXY_FIX = True # If behind a proxy/load balancer
OAUTH_PROVIDERS = [{
"name": "azure",
"icon": "fa-windows",
"token_key": "access_token",
"remote_app": {
"client_id": os.environ.get("CLIENT_ID"),
"client_secret": os.environ.get("CLIENT_SECRET"),
"api_base_url":
"https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/",
"access_token_url":
"https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token",
"authorize_url":
"https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/authorize",
"client_kwargs": {
"scope": "openid email profile User.Read GroupMember.Read.All upn"
}
}
}]
# Optional: Map Azure AD group IDs to Superset roles
AUTH_ROLES_MAPPING = {
"Azure-Group-Object-ID-1": ["Admin"],
"Azure-Group-Object-ID-2": ["Gamma"],
# Add more as needed
}
class CustomSsoSecurityManager(SupersetSecurityManager):
def oauth_user_info(self, provider, response=None):
if provider == "azure":
me =
self.appbuilder.sm.oauth_remotes[provider].get("https://graph.microsoft.com/v1.0/me";).json()
groups = me.get("groups", [])
group_role_map = {
"Azure-Group-Object-ID-1": "Admin",
"Azure-Group-Object-ID-2": "Gamma",
}
user_roles = [group_role_map[g] for g in groups if g in
group_role_map]
return {
"username": me.get("userPrincipalName"),
"first_name": me.get("givenName", ""),
"last_name": me.get("surname", ""),
"email": me.get("mail"),
"role_keys": user_roles,
}
return super().oauth_user_info(provider, response)
CUSTOM_SECURITY_MANAGER = CustomSsoSecurityManager
```
Replace `<tenant_id>` with your Azure AD tenant ID. Set `CLIENT_ID` and
`CLIENT_SECRET` as environment variables or deployment secrets. Make sure your
Azure app registration is configured to return group claims in the token.
[Reference](https://github.com/apache/superset/discussions/34542)
**2. User data update on every login:**
Superset will call `oauth_user_info` on every SSO login, updating user
attributes and roles for existing users, even with `AUTH_USER_REGISTRATION =
False` [Reference](https://github.com/apache/superset/discussions/34542).
**3. Logout handling:**
Superset by default logs out the user locally. If you want to also log out from
Azure, you may need to add a custom logout handler to redirect to Azure's
logout endpoint (not built-in). Most setups only require local logout
[Reference](https://github.com/apache/superset/discussions/34542).
**4. Best practices:**
- Use `ENABLE_PROXY_FIX = True` if behind a proxy.
- Scopes must include `upn` for proper user mapping.
- For role mapping, ensure your Azure app returns group claims and use the
correct Azure AD group object IDs.
- After setup, run `superset db upgrade` and `superset init` to update schema
and permissions.
**Checklist:**
1. Register your Superset app in Azure AD and get client ID/secret.
2. Set up `superset_config.py` as above.
3. Pre-create users in Superset if `AUTH_USER_REGISTRATION = False`.
4. Deploy and test SSO login.
5. (Optional) Implement provider-side logout if needed.
Let me know if you need a Helm/Docker example or more details on logout!
<!-- Dosu Comment Footer -->
*To reply, just mention [@dosu](https://go.dosu.dev/dosubot).*
---
<sup>How did I do?
[Good](https://app.dosu.dev/response-feedback/8d1dd86c-c0bf-4335-8b0e-3bea49697732?feedback_type=great_response)
|
[Irrelevant](https://app.dosu.dev/response-feedback/8d1dd86c-c0bf-4335-8b0e-3bea49697732?feedback_type=irrelevant_answer)
|
[Incorrect](https://app.dosu.dev/response-feedback/8d1dd86c-c0bf-4335-8b0e-3bea49697732?feedback_type=incorrect_sources)
|
[Verbose](https://app.dosu.dev/response-feedback/8d1dd86c-c0bf-4335-8b0e-3bea49697732?feedback_type=too_verbose)
|
[Hallucination](https://app.dosu.dev/response-feedback/8d1dd86c-c0bf-4335-8b0e-3bea49697732?feedback_type=hallucination)
| [Report
🐛](https://app.dosu.dev/response-feedback/8d1dd86c-c0bf-4335-8b0e-3bea49697732?feedback_type=bug_report)
|
[Other](https://app.dosu.dev/response-feedback/8d1dd86c-c0bf-4335-8b0e-3bea49697732?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github)&
nbsp;[](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/34608)
GitHub link:
https://github.com/apache/superset/discussions/34608#discussioncomment-14041947
----
This is an automatically sent email for [email protected].
To unsubscribe, please send an email to:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
