This explains the security set up for connecting to an MS Fabric data source. This includes defining the Authentication Method that you want to use and incorporating details from the provider.
Process Overview
If you want to use MS Fabric as your data source, you first need to:
- Set up and configure Microsoft as an identity provider.
- Set up and configure Azure with the correct details to enable data source authentication using your identity provider.
This includes setting up a new identity provider, a role with a policy for access to Fabric, and a trust relationship with the provider account. Lastly, you need to configure Pyramid; setting up multiple fields that are used to establish a connection to the data warehouse.
Data Source Security Settings
The Pyramid configuration happens in the Data > Data Source panel of the Admin Console on the Security tab. For MS Fabric, this looks like:
Authentication Method
The authentication method can be one of:
- Service Account.
- SSO specific user - interactive authentication with a single account for all users.
- SSO end user - interactive authentication by each INDIVIDUAL user as the login into Pyramid.
Service Account
When using a service account, the authentication is common to all users of the connection. Copy the authentication details; Client ID, Client Secret, and Directory (Tenant) ID; from the Microsoft Azure administrative console.
Single Sign-on (OAuth) options
If you are using one of the SSO OAuth options:
- Single Sign-on (OAuth) - Specific User: All users of this data source share and use the credentials and sign in code defined here.
- Single Sign-on (OAuth) - End User: Each user signs in when starting Pyramid or when connecting to the data source. This is a "one off" event. The user's sign in code is stored and reused for subsequent data access. Pyramid automatically refreshes this as needed.
SSO OAuth Authentication makes use of the user's credentials to connect and authenticate access to a data source. The process is often used in big organizations that have centralized security and are using one framework to secure all data assets.
Provider Settings
Once the connection to an identity provider is set up and the authentication is working, you can provide details from the provider to Pyramid. You need to retrieve all of the options including Scope, Client ID, Client Secret, and Directory (Tenant) ID from the provider.
OAuth Settings
Global Settings
If you want to use the global OAuth settings, you must set the Global Settings to match the provider details. These settings are found on the Data > Global Settings page of the Admin Console.
Important: You must always set Redirect URL in the Global Settings.
Custom Settings
If you do not want to use the global OAuth settings, you must override them by selecting the Custom Settings option (purple arrow above) in this panel and then setting the values to match the provider details.
Connecting
If you are setting up Single Sign-on (OAuth) - Specific User, you should click Connect to connect to the data source and generate an OAuth refresh code once the provider settings are supplied.
Signing in to Pyramid
With the Authentication Method drop-down set to Single Sign-on (OAuth) - End User, each user will be prompted to sign in for individually authenticated data access.
With the Authentication Method drop-down set to Single Sign-on (OAuth) - Specific User, each user will share the provider account as well as the Client ID and Client Secret.