Author: Serena Wang
Introduction
In addition to the on-premises Windows Server Active Directory (Windows AD), Kepion is now integrated with Azure Active Directory (Azure AD), which provides you with the following benefits:
- You can control in Azure AD who has access to Kepion
- You can enable your users to automatically get signed-on to Kepion (Single Sign-On) with their Azure AD accounts
There are three types of authentication modes Kepion supports. We will explain each scenario in this article.
Option 1: Windows AD
This is the default authentication option when you set up a Kepion server. All servers in the environment are joined to an on-premise Windows AD domain (e.g., CORP). Users can login with their Windows AD credentials, e.g., CORP\USER, where CORP is the domain and USER is the login name.
Note: The sAMAccountName attribute in AD is required to validate users on Kepion.
| Feature | Description |
|---|---|
| Authentication |
1. Windows AD credentials can be configured to any server as all the machines belong to the same domain (e.g., CORP). 2. Users login to Kepion with their Windows AD account, i.e., CORP\USER1 3. Users connect to SSAS with their Windows AD account, i.e., CORP\USER1 |
| Groups | Full Windows AD group support. |
| SSAS Security | Fully integrates with SSAS security for both Kepion and 3rd party client tools. |
Option 2: Azure AD Integrated
Windows AD and Azure AD are sync’d together as one. Users can login with either their Windows AD or Azure AD credentials, i.e., CORP\USER or USER@CORP.COM.
If your users are currently using Windows AD credentials to access Kepion, and you’d like to integrate with Azure AD, consult IT at your organization about how to sync up Windows AD and Azure AD. Azure provides services to help with that.
| Feature | Description |
|---|---|
| Authentication |
1. Windows AD credentials can be configured to any server as all the machines belong to the same domain (e.g., CORP). Azure AD credentials can be validated and resolved to their Windows AD equivalent. 2. Users login to Kepion with their Azure AD account, e.g., USER1@CORP.COM. Only Azure users with a corresponding domain account will be supported. 3. Users connect to SSAS with either their Windows AD account, e.g., CORP\USER1 or Azure AD account, e.g., USER1@CORP.COM. |
| Groups | Full Windows AD group and Azure AD group support. |
| SSAS Security | Fully integrates with SSAS security for both Kepion and 3rd party client tools. |
Option 3: Azure AD Stand-alone
Azure AD and the on-premise Windows AD are separate services without any sync between them. Users can only login with their Azure AD credentials, i.e., USER@CLOUD.COM.
| Feature | Description |
|---|---|
| Login |
1. Azure AD is on its own domain (e.g., CLOUD). Kepion servers are joined with a Windows AD (e.g., CORP), or not joined with any domain. Within the Kepion web server, Azure AD credentials cannot be validated. 2. Users login to Kepion with their Azure AD account, e.g., USER1@CLOUD.COM. 3. Kepion will not publish security users to SSAS as Azure AD users are not valid within the Kepion web server. Thus, users will not be able to directly connect to SSAS using Azure AD. |
| Groups | Full Azure AD group support. |
| SSAS Security | Security is applied when accessing SSAS through Kepion server. However, 3rd direct access to SSAS using Azure AD is not supported. |
Which Azure AD Authentication Works Best for You?
Use the summary below to help determine which Azure AD authentication works best for your organization.
| Authentication Mode | Login to Kepion | User Type Supported | Connect to SSAS from 3rd Party Tools?* |
|---|---|---|---|
| Windows AD | Windows AD credential
(e.g., CORP\USER1) |
Windows AD User
Windows AD Group Local Machine User |
Windows AD credential
(e.g., CORP\USER1) |
| Azure AD Integrated | Azure AD credential
(e.g., USER1@CORP.COM) |
Azure AD User
Azure AD Group |
Windows AD credential
(e.g., CORP\USER1), or Azure AD credential (e.g., USER1@CORP.COM) |
| Azure AD Stand-alone | Azure AD credential
(e.g., USER1@CORP.COM) |
Azure AD User
Azure AD Group |
Not supported |
*Includes 3rd party tools that try to connect to Kepion-generated SSAS cubes, e.g., Excel PivotTable.
How to Integrate Kepion with Azure AD?
Now that you’ve figured out whether Azure AD Integrated or Azure AD Stand-alone works best for you, let’s check out the next steps.
Azure AD Integrated
To configure the Azure AD Integrated mode, please check prerequisites based on the current AD setup on your Kepion web server. Follow this guide to verify if your Kepion web server is joined with a Windows AD domain or an Azure AD domain.
| Is Kepion web server joined with a Windows AD domain? | Is Kepion web server joined with an Azure AD domain? | Prerequisites |
|---|---|---|
| Yes | Yes | You can start right away! |
| Yes | No | Consult IT at your organization about how to integrate Windows AD domain to the Azure AD domain. |
| No | No | Consult IT at your organization about how to join the Kepion web server to a Windows AD domain and Azure AD domain. |
Once your Kepion web server is joined with both Windows AD and Azure AD, follow this guide to get started. There are three main steps:
- Azure Portal Setup
- Kepion Server Setup -> Azure AD Integrated
- Connect to Kepion
Azure AD Stand-alone
To configure the Azure AD Stand-alone mode, follow this guide to get started. There are three main steps:
- Azure Portal Setup
- Kepion Server Setup -> Azure AD Stand-alone
- Connect to Kepion
Comments
0 comments
Please sign in to leave a comment.