Azure SCIM setup #

System for Cross-domain Identity Management (SCIM) is a standard protocol for automating the exchange of user identity information between identity domains. Starburst Galaxy supports SCIM to allow an SSO identity provider to push user and group membership changes to Galaxy. Thus, Galaxy can accept an identity provider’s database of users and groups as its own.

Configure SCIM #

To complete the setup of Azure as the SSO identity provider for Starburst Galaxy, follow the steps on this page. This procedure presumes you have Galaxy open and are logged in with accountadmin rights, and that you have completed the steps on Azure SAML setup.

  1. In Galaxy, go to the Access control > Single sign-on pane, which is left unfinished at the end of the Azure SAML setup page.

    You might also land on the Single sign-on pane by clicking Resume configuring single sign-on or clicking Provision SCIM on the Groups page.

      SCIM generate access token

  2. Click Generate access token.

    Do not click Finish or navigate away from this pane yet!

    If you do leave this page, you cannot restore this generated access token, but you can always create another token and provision that one. During this procedure, consider making a safety copy of the token until you finish setting up the IdP side of SCIM.

  3. In the Azure portal, in Azure services, select Azure Active Directory.

      Azure Active Directory icon

  4. In the navigation menu, select Enterprise applications.

  5. Locate the application you added on the Azure SAML setup page, probably named Starburst Galaxy, and click its name.

  6. In the Overview page for this app, click the Provision User Accounts tile (or click Provisioning in the navigation menu).

      Azure provisioning welcome

  7. Click Get started in the Provisioning welcome pane.

  8. In the Provisioning pane, select Automatic from the Provisioning Mode drop-down.

  9. From Galaxy, copy the URL in the Starburst Galaxy SCIM URL field to the Tenant URL field in Azure.

  10. From Galaxy, copy the Starburst Galaxy access token value to the Secret Token field in Azure.

      Azure provisioning creds test success

  11. In Azure, click Test Connection. Look for a success dialog confirming that that Azure is now authorized to provision Starburst Galaxy.

      Azure provisioning creds test success

  12. Click Save.

Finish SCIM setup in Galaxy #

In the browser window holding Starburst Galaxy, the Provision SCIM pane is still open.

  1. Click Finish.

  2. Navigate to Access control > Users and leave this browser window open. As provisioning proceeds from Azure, you can expect to see user names you authorized for Galaxy access in Azure to begin populating the Users list.

Start SCIM provisioning #

  1. Start again in Azure > Azure Active Directory > Enterprise applications. Click the name of your Starburst Galaxy app.

  2. In the navigation menu, click Provisioning.

  3. If the Provisioning Mode pane is still open from the end of the Configure SCIM section, close that pane by clicking the X link in the upper right corner.

  4. The main Provisioning pane now shows status and management links for the process that runs periodically to update Galaxy with any changed user and group information.

    On this page, click Start provisioning and give it some time to run.

  5. Come back to this page to check the status of the initial provisioning cycle. The provisioning logs do not report any activity until the initial cycle has run.

  6. Expand the View provisioning details section to see the provisioning interval. If this is too long and you’d like to provision users immediately, navigate to the Provision on demand tab. Search for the name of a user or group as known to Azure, then click Provision.

  7. The results of successful provisioning are that the Access control > Users list in Galaxy now contains the user email names of the users you authorized in Azure to use Galaxy.

    To distinguish an Azure-provisioned username from a direct-entered one, click the menu for that name. An Azure-provisioned name has the last two options dimmed, and shows a usage note if you hover over either of those options.

      SSO-provisioned username

Login from Galaxy #

Do not test logging in to Galaxy with an Azure user name until:

  • You see in the Azure portal that the Start provisioning initial cycle has completed.

  • You see in Galaxy that the Access control > Users list shows user names provisioned from Azure.

When these conditions are met, log out of Starburst Galaxy and try to log back in. On the login page, you now have an Azure option for signing in.

Click the Azure button and log in to Azure with the username you assigned to the app integration in Azure.

  Azure button on log in page

Usage notes:

  • Azure logins to Galaxy work best with the Chrome browser.

  • If your current browser has no history of logging in with a Microsoft or live.com account, you may need to use the Sign-in options on the Microsoft login dialog. Select Sign in with a work account and enter the URL of your Azure AD account. Note that Azure may have generated a URL for you in the onmicrosoft.com domain. Locate the Primary domain name in the Properties page for your Azure AD account at portal.azure.com.

You can also use Microsoft’s My Apps dashboard. Open myapps.microsoft.com and log in with a Galaxy-enabled username. Look for the Starburst Galaxy icon in the list of apps. Click that icon to open Galaxy without further prompts. If you have logged in with more than one enabled username in the current browser, the Pick an account dialog opens first.

  MyApps dashboard with Starburst Galaxy icon

Logging in with a previously configured, non-Azure email name and password is still available and still valid despite the availability of Azure-provisioned logins. You can eventually reduce the number of direct-configured email name logins to a few trusted administrative names.