User Login Flow Diagram - Authentication and Authorization with Active Directory in Azure
This article outlines the authentication flow for a user signing in to Lakehouse Optimizer (LHO) using Active Directory (AD) enabled credentials and accesses Databricks Workspaces.
The user opens a browser and navigates to the LHO login page (step B1). Upon accessing the page, they are presented with the Login with Active Directory screen.
When the user clicks the Login with Active Directory button, they are redirected to Microsoft Single Sign-On page to authenticate using their Active Directory credentials. Multi-Factor Authentication (MFA) may be enabled on the Microsoft Single Sign-On page, depending on the organization's security settings.
Once the user has successfully authenticated using Microsoft's OAuth2 protocol (see requests diagram), at the end of step B2, the LHO will have obtained an access token to use on-behalf-of the user to access Databricks resources (steps B3 and B4).
Active Directory App Registration is used to configure which user groups are permitted to authenticate via Active Directory and perform Single Sign-On within Lakehouse Optimizer (LHO).
Additionally, Active Directory Graph is used to define LHO roles, which are utilized within the Lakehouse Optimizer to authorize users based on their assigned roles when accessing application pages.
For more details, please refer to the following related articles: