Apache Superset SSO integration

Superset is a modern data exploration and data visualization platform. Superset can replace or augment proprietary business intelligence tools for many teams. Superset integrates well with a variety of data sources.

Superset official documentation for configurational change to implement login changes:
https://superset.apache.org/docs/installation/configuring-superset/

Before we start:
After successful installation of Superset we will get below default login page:
{Image}

Try to login via default user admin and verify the verion you need and sample dashboards.

If your Superset app is working behind a load balancer for HTTPS, use
ENABLE_PROXY_FIX = True in the superset_config.py.

Changes for SSO:
1: Overwrite the default config by creating new one at ~/superset/docker/pythonpath_dev/superset_config.py (I am using Docker compose setup for Superset installation)

2: Code changes in superset_config.py (Using openid app type for sso)

Note: Metadata url can also be used to fetch the below values
‘metadata_url’: ‘https://myAuthorizationServer/.well-known/openid-configuration'

from flask_appbuilder.security.manager import AUTH_OAUTH
from custom_sso_security_manager import CustomSsoSecurityManager

CUSTOM_SECURITY_MANAGER = CustomSsoSecurityManager # For managing User data after fetching from SSO app

# Set the authentication type to OAuth
AUTH_TYPE = AUTH_OAUTH

OAUTH_PROVIDERS = [
    {   'name':'Examplesso',
        'token_key':'access_token', # Name of the token in the response of access_token_url
        'icon':'fa-address-card',   # Icon for the provider
        'remote_app': {
            'client_id':'myClientId',  # Client Id (Identify Superset application)
            'client_secret':'MySecret', # Secret for this Client Id (Identify Superset application)
            'client_kwargs':{
                'scope': 'openid'               # Scope for the Authorization
            },
            'jwks_uri': 'https://{app provider url}/adfs/discovery/keys' # Uri for token creation 
            'access_token_method':'POST',    # HTTP Method to call access_token_url
            'access_token_params':{        # Additional parameters for calls to access_token_url
                'client_id':'myClientId'
            },
            'access_token_headers':{    # Additional headers for calls to access_token_url
                'Authorization': 'Basic Base64EncodedClientIdAndSecret',
                'Content-Type':'application/x-www-form-urlencoded',
            },
            'api_base_url':'https://myAuthorizationServer/oauth2AuthorizationServer/',
            'access_token_url':'https://myAuthorizationServer/oauth2AuthorizationServer/token',
            'authorize_url':'https://myAuthorizationServer/oauth2AuthorizationServer/authorize'
        }
    }
]

# Will allow user self registration, allowing to create Flask users from Authorized User
AUTH_USER_REGISTRATION = True

# The default user self registration role
# Can change it to Gamma if want user to have dashboard view
AUTH_USER_REGISTRATION_ROLE = "Public"

3: Above Values like Client_id, Client_secret, jwks_uri , api_base_url, access_token_url,authorize_url will be provided by the App team (Organization LDAP team) or get it from the officialdocumentaion in case you are using GCP, AWS, AZURE.

4: Create python file with the name custom_sso_security_manager.py and it must be located at the same directory than superset_config.py .

import logging
from superset.security import SupersetSecurityManager

class CustomSsoSecurityManager(SupersetSecurityManager):

    def oauth_user_info(self, provider, response=None):
        #In case if userDetail url is nor working case use response attribute to get the user details like name,mail etc
        logging.debug("Oauth2 provider: {0}.".format(provider))
        if provider == 'egaSSO':
            # As example, this line request a GET to base_url + '/' + userDetails with Bearer  Authentication,
            # and expects that authorization server checks the token, and response with user details
            me = self.appbuilder.sm.oauth_remotes[provider].get('userDetails').data
            logging.debug("user_data: {0}".format(me))
            #check the values of user_name, mail and others values in me variable
            return { 'name' : me['User_name'], 'email' : me['mail'], 'id' : me['user_name'], 'username' : me['user_name'], 'first_name':'', 'last_name':''}
    ...

4: Restart the application to get the new config working.
(In case of docker compose just perform compose down and then up)

5: Monitor the superset_app (superset_app container) for logs and any possible error/warning.

{Image}

Thank you