GitHub user johannes-ws added a comment to the discussion: How to update user
datas every they login SSO in Superset 5.0.0?
> Here's a working example for Microsoft Azure SSO in Superset 5.0.0, covering
> initialization, updating user data on every login, and logout handling:
>
> **1. superset_config.py settings:**
>
> ```python
> import os
> from flask_appbuilder.security.manager import AUTH_OAUTH
> from superset.security import SupersetSecurityManager
>
> AUTH_TYPE = AUTH_OAUTH
> AUTH_USER_REGISTRATION = False # Users must be pre-created
> AUTH_ROLES_SYNC_AT_LOGIN = True
> ENABLE_PROXY_FIX = True # If behind a proxy/load balancer
>
> OAUTH_PROVIDERS = [{
> "name": "azure",
> "icon": "fa-windows",
> "token_key": "access_token",
> "remote_app": {
> "client_id": os.environ.get("CLIENT_ID"),
> "client_secret": os.environ.get("CLIENT_SECRET"),
> "api_base_url":
> "https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/",
> "access_token_url":
> "https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token",
> "authorize_url":
> "https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/authorize",
> "client_kwargs": {
> "scope": "openid email profile User.Read GroupMember.Read.All upn"
> }
> }
> }]
>
> # Optional: Map Azure AD group IDs to Superset roles
> AUTH_ROLES_MAPPING = {
> "Azure-Group-Object-ID-1": ["Admin"],
> "Azure-Group-Object-ID-2": ["Gamma"],
> # Add more as needed
> }
>
> class CustomSsoSecurityManager(SupersetSecurityManager):
> def oauth_user_info(self, provider, response=None):
> if provider == "azure":
> me =
> self.appbuilder.sm.oauth_remotes[provider].get("https://graph.microsoft.com/v1.0/me";).json()
> groups = me.get("groups", [])
> group_role_map = {
> "Azure-Group-Object-ID-1": "Admin",
> "Azure-Group-Object-ID-2": "Gamma",
> }
> user_roles = [group_role_map[g] for g in groups if g in
> group_role_map]
> return {
> "username": me.get("userPrincipalName"),
> "first_name": me.get("givenName", ""),
> "last_name": me.get("surname", ""),
> "email": me.get("mail"),
> "role_keys": user_roles,
> }
> return super().oauth_user_info(provider, response)
>
> CUSTOM_SECURITY_MANAGER = CustomSsoSecurityManager
> ```
>
> Replace `<tenant_id>` with your Azure AD tenant ID. Set `CLIENT_ID` and
> `CLIENT_SECRET` as environment variables or deployment secrets. Make sure
> your Azure app registration is configured to return group claims in the
> token. [Reference](https://github.com/apache/superset/discussions/34542)
>
> **2. User data update on every login:** Superset will call `oauth_user_info`
> on every SSO login, updating user attributes and roles for existing users,
> even with `AUTH_USER_REGISTRATION = False`
> [Reference](https://github.com/apache/superset/discussions/34542).
>
> **3. Logout handling:** Superset by default logs out the user locally. If you
> want to also log out from Azure, you may need to add a custom logout handler
> to redirect to Azure's logout endpoint (not built-in). Most setups only
> require local logout
> [Reference](https://github.com/apache/superset/discussions/34542).
>
> **4. Best practices:**
>
> * Use `ENABLE_PROXY_FIX = True` if behind a proxy.
> * Scopes must include `upn` for proper user mapping.
> * For role mapping, ensure your Azure app returns group claims and use the
> correct Azure AD group object IDs.
> * After setup, run `superset db upgrade` and `superset init` to update schema
> and permissions.
>
> **Checklist:**
>
> 1. Register your Superset app in Azure AD and get client ID/secret.
> 2. Set up `superset_config.py` as above.
> 3. Pre-create users in Superset if `AUTH_USER_REGISTRATION = False`.
> 4. Deploy and test SSO login.
> 5. (Optional) Implement provider-side logout if needed.
>
> Let me know if you need a Helm/Docker example or more details on logout!
>
> _To reply, just mention [@dosu](https://go.dosu.dev/dosubot)._
>
> How did I do?
> [Good](https://app.dosu.dev/response-feedback/8d1dd86c-c0bf-4335-8b0e-3bea49697732?feedback_type=great_response)
> |
> [Irrelevant](https://app.dosu.dev/response-feedback/8d1dd86c-c0bf-4335-8b0e-3bea49697732?feedback_type=irrelevant_answer)
> |
> [Incorrect](https://app.dosu.dev/response-feedback/8d1dd86c-c0bf-4335-8b0e-3bea49697732?feedback_type=incorrect_sources)
> |
> [Verbose](https://app.dosu.dev/response-feedback/8d1dd86c-c0bf-4335-8b0e-3bea49697732?feedback_type=too_verbose)
> |
> [Hallucination](https://app.dosu.dev/response-feedback/8d1dd86c-c0bf-4335-8b0e-3bea49697732?feedback_type=hallucination)
> | [Report
> 🐛](https://app.dosu.dev/response-feedback/8d1dd86c-c0bf-4335-8b0e-3bea49697732?feedback_type=bug_report)
> |
> [Other](https://app.dosu.dev/response-feedback/8d1dd86c-c0bf-4335-8b0e-3bea49697732?feedback_type=other)
> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github)
[](https://go.dosu.dev/discord-bot)
[](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/34608)
i already used this code, but my user data doesn't update every login sso.
@dosu
GitHub link:
https://github.com/apache/superset/discussions/34608#discussioncomment-14099133
----
This is an automatically sent email for [email protected].
To unsubscribe, please send an email to:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
