Skip to main content

Home

Enabling Azure Active Directory (AAD) authentication

You can integrate Unravel with Azure Active Directory (AAD) to use this authentication service of Azure for Databricks. To integrate Unravel with AAD, you must first register Unravel services at the AAD website and then update Unravel configuration with AAD details.

Registering Unravel in AAD
  1. Sign in to the Azure portal.

  2. Select Azure Active Directory > App registrations.

  3. Click New registration and enter the following details:

    Item

    Description

    Name

    Specify any name to identify the application.

    Supported Account Types

    Select a supported account type option.

  4. Click Register.

  5. Go to the application and select Manage > Authentication.

  6. Click Add a platform > Web and enter the following details:

    Item

    Description

    Redirect URIs

    The URIs, that are accepted as destinations when returning authentication responses after successfully authenticating or signing out users.

    https://<Unravel-server-IP or fully qualified domain name (FQDN)>:3000/aad/consume

    Logout URL

    The URIs where the request is sent to have the application clear the user's session data.

    https://<Unravel-server-IP or fully qualified domain name (FQDN)>:3000/aad/logout-consume

  7. Click Configure and go back to the application.

  8. Select Certificates & Secrets > Client Secrets > New client secret.

  9. Enter a description and select an expiry duration.

    Note

    Copy the client secret as soon as it is displayed, since this gets masked immediately.

  10. Go to the application and capture the following details for use in the Unravel configuration for AAD:

    Item

    Description

    Client ID

    Copy the details from Overview > Essentials > Application (client) ID.

    Client secret

    The client secret, which is copied as mentioned in #9

Updating Unravel configuration with AAD

The AAD configurations can be set in a JSON file and you can provide the path of this JSON file in the /usr/local/unravel/etc/unravel.properties file.

  1. Create aad.json file with the following configurations and add the file to /usr/local/unravel/etc/.

    {
    "clientID": "",
    "clientSecret": "",
    "callbackURL": "https://<unravel-server-IP or FQDN>:3000/aad/consume",
    "logoutCallbackURL": "https:<unravel-server-IP or FQDN>:3000/logout-consume",
    "logoutEnabled": false,
    "unravel_mapping": {
    "username": "upn"
    }
    }

    Item

    Description

    clientID

    Client ID from Overview > Essentials > Application (client) ID.

    clientSecret

    Client secret.

    callbackURL

    Redirect URL to consume login response from AAD. This should be the same as the Redirect URI.

    logoutCallbackURL

    Redirect URL to consume logout response from AAD. This should be the same as the Logout URL.

    logoutEnabled

    Enable/disable logout on AAD when the user logs out from Unravel.

    unravel_mapping

    Maps the AAD attributes to Unravel attributes. This is specific to AAD Integration.

  2. Stop Unravel.

    <Unravel installation directory>/unravel/manager stop
  3. Set the properties to specify the login mode and the path to the aad.json file.

    <Unravel installation directory>/unravel/manager config properties set com.unraveldata.login.mode=aad
    <Unravel installation directory>/unravel/manager config properties set com.unraveldata.login.aad.config=/usr/local/unravel/etc/aad.json
    
  4. Assign admin and read-only admin roles to users by setting the corresponding properties.

    Notice

    • By default, logged-in users assume read-only admin roles when RBAC is turned off and user roles when RBAC is turned on.

    • You can also provide custom AAD groups using a script that overwrites real AAD groups. Refer to Configuring custom user groups

  5. Apply changes.

    <Unravel installation directory>/unravel/manager config apply
  6. Start Unravel

    <Unravel installation directory>/unravel/manager start