LogoLogo
👨‍💻 API Reference📣 Release Notes📺 Request a Demo
  • Introduction to Fiddler
    • Monitor, Analyze, and Protect your ML Models and Gen AI Applications
  • Fiddler Doc Chatbot
  • First Steps
    • Getting Started With Fiddler Guardrails
    • Getting Started with LLM Monitoring
    • Getting Started with ML Model Observability
  • Tutorials & Quick Starts
    • LLM and GenAI
      • LLM Evaluation - Compare Outputs
      • LLM Monitoring - Simple
    • Fiddler Free Guardrails
      • Guardrails - Quick Start Guide
      • Guardrails - Faithfulness
      • Guardrails - Safety
      • Guardrails FAQ
    • ML Observability
      • ML Monitoring - Simple
      • ML Monitoring - NLP Inputs
      • ML Monitoring - Class Imbalance
      • ML Monitoring - Model Versions
      • ML Monitoring - Ranking
      • ML Monitoring - Regression
      • ML Monitoring - Feature Impact
      • ML Monitoring - CV Inputs
  • Glossary
    • Product Concepts
      • Baseline
      • Custom Metric
      • Data Drift
      • Embedding Visualization
      • Fiddler Guardrails
      • Fiddler Trust Service
      • LLM and GenAI Observability
      • Metric
      • Model Drift
      • Model Performance
      • ML Observability
      • Trust Score
  • Product Guide
    • LLM Application Monitoring & Protection
      • LLM-Based Metrics
      • Embedding Visualizations for LLM Monitoring and Analysis
      • Selecting Enrichments
      • Enrichments (Private Preview)
      • Guardrails for Proactive Application Protection
    • Optimize Your ML Models and LLMs with Fiddler's Comprehensive Monitoring
      • Alerts
      • Package-Based Alerts (Private Preview)
      • Class Imbalanced Data
      • Enhance ML and LLM Insights with Custom Metrics
      • Data Drift: Monitor Model Performance Changes with Fiddler's Insights
      • Ensuring Data Integrity in ML Models And LLMs
      • Embedding Visualization With UMAP
      • Fiddler Query Language
      • Model Versions
      • How to Effectively Use the Monitoring Chart UI
      • Performance Tracking
      • Model Segments: Analyze Cohorts for Performance Insights and Bias Detection
      • Statistics
      • Monitoring ML Model and LLM Traffic
      • Vector Monitoring
    • Enhance Model Insights with Fiddler's Slice and Explain
      • Events Table in RCA
      • Feature Analytics Creation
      • Metric Card Creation
      • Performance Charts Creation
      • Performance Charts Visualization
    • Master AI Monitoring: Create, Customize, and Compare Dashboards
      • Creating Dashboards
      • Dashboard Interactions
      • Dashboard Utilities
    • Adding and Editing Models in the UI
      • Model Editor UI
      • Model Schema Editing Guide
    • Fairness
    • Explainability
      • Model: Artifacts, Package, Surrogate
      • Global Explainability: Visualize Feature Impact and Importance in Fiddler
      • Point Explainability
      • Flexible Model Deployment
        • On Prem Manual Flexible Model Deployment XAI
  • Technical Reference
    • Python Client API Reference
    • Python Client Guides
      • Installation and Setup
      • Model Onboarding
        • Create a Project and Onboard a Model for Observation
        • Model Task Types
        • Customizing your Model Schema
        • Specifying Custom Missing Value Representations
      • Publishing Inference Data
        • Creating a Baseline Dataset
        • Publishing Batches Of Events
        • Publishing Ranking Events
        • Streaming Live Events
        • Updating Already Published Events
        • Deleting Events From Fiddler
      • Creating and Managing Alerts
      • Explainability Examples
        • Adding a Surrogate Model
        • Uploading Model Artifacts
        • Updating Model Artifacts
        • ML Framework Examples
          • Scikit Learn
          • Tensorflow HDF5
          • Tensorflow Savedmodel
          • Xgboost
        • Model Task Examples
          • Binary Classification
          • Multiclass Classification
          • Regression
          • Uploading A Ranking Model Artifact
    • Integrations
      • Data Pipeline Integrations
        • Airflow Integration
        • BigQuery Integration
        • Integration With S3
        • Kafka Integration
        • Sagemaker Integration
        • Snowflake Integration
      • ML Platform Integrations
        • Integrate Fiddler with Databricks for Model Monitoring and Explainability
        • Datadog Integration
        • ML Flow Integration
      • Alerting Integrations
        • PagerDuty Integration
    • Comprehensive REST API Reference
      • Projects REST API Guide
      • Model REST API Guide
      • File Upload REST API Guide
      • Custom Metrics REST API Guide
      • Segments REST API Guide
      • Baselines REST API Guide
      • Jobs REST API Guide
      • Alert Rules REST API Guide
      • Environments REST API Guide
      • Explainability REST API Guide
      • Server Info REST API Guide
      • Events REST API Guide
      • Fiddler Trust Service REST API Guide
    • Fiddler Free Guardrails Documentation
  • Configuration Guide
    • Authentication & Authorization
      • Adding Users
      • Overview of Role-Based Access Control
      • Email Authentication
      • Okta OIDC SSO Integration
      • Azure AD OIDC SSO Integration
      • Ping Identity SAML SSO Integration
      • Mapping LDAP Groups & Users to Fiddler Teams
    • Application Settings
    • Supported Browsers
  • History
    • Release Notes
    • Python Client History
    • Compatibility Matrix
    • Product Maturity Definitions
Powered by GitBook

© 2024 Fiddler Labs, Inc.

On this page
  • Prerequisites
  • Creating a new client secret
  • Setting up token permissions to the application
  • Setting up API permissions to the application
  • Application Permissions
  • Configure Azure SSO with Fiddler
  • Deployment instructions
  • Troubleshooting

Was this helpful?

  1. Configuration Guide
  2. Authentication & Authorization

Azure AD OIDC SSO Integration

PreviousOkta OIDC SSO IntegrationNextPing Identity SAML SSO Integration

Last updated 9 days ago

Was this helpful?

Prerequisites

Set up configuration within Microsoft Entra ID () by selecting the type as Web and with the redirect URI pointing to your deployment, as seen in the image below.

Redirect URL - {base_url}/api/sso/azuread/callback

Once the registration is successful, create a new client secret and copy the secret value immediately after it is created without refreshing the page.

🚧 Be careful

You will not be able to access the client secret later because it is shown ONCE and not repeated

Creating a new client secret

Setting up token permissions to the application

Setting up API permissions to the application

Application Permissions

In Authentication, fill the details as shown below

Up until this point, our application configuration is complete. The following section now deals with Fiddler side of changes.

Configure Azure SSO with Fiddler

The following details are required to configure Azure SSO with Fiddler:

  • OpenID Connect metadata document sso-azuread-identity-metadata

  • Application (client) ID sso-azuread-client-id

  • Newly created client secret sso-azuread-client-secret

  • Directory (tenant) ID sso-azuread-client-tenant-id

OpenID Connect metadata Document can be found under Endpoints under the overview section.

The following details can be obtained from the OpenID Connect metadata document URI.

  • Response Types Supported sso-azuread-response-type

  • Response Modes Supported sso-azuread-response-mode

  • Issuer sso-azuread-issuer

  • Scopes Supported sso-azuread-scope

Deployment instructions

Step 1 Create a <secret-filename>.yaml file with the following template

apiVersion: v1
kind: Secret
metadata:
  name: fiddler-sso-azuread-credentials
  namespace: <NAMESPACE_NAME>
stringData:
  sso-azuread-identity-metadata: <IDENTITY_METADATA_URL> # the format follows `https://login.microsoftonline.com/<TENANT_ID>/v2.0/.well-known/openid-configuration`
  sso-azuread-client-id: <CLIENT_ID>
  sso-azuread-client-tenant-id: <TENANT_ID> # this is found from the ISSUER_URL like https://login.microsoftonline.com/<TENANT_ID>/v2.0 
  sso-azuread-client-secret: <CLIENT_SECRET>
  sso-azuread-validate-issuer: <VALIDATE_ISSUER> # set to "true"
  sso-azuread-issuer: <ISSUER_URL> # find this from running `cat "OpenID Connect metadata document.json" | jq '.issuer'`
  sso-azuread-scope: <SCOPES> # set to "openid,offline_access,profile,email"
  sso-azuread-response-type: <RESPONSE_TYPE> # set to "code id_token"
  sso-azuread-response-mode: <RESPONSE MODE> # set to "form_post"
  sso-azuread-validate-issuer: <VALIDATE_ISSUER> # set to "true"
type: Opaque

📘 If you use stringData above, you do not need to manually base64 encode all entries

📘 Do not use doubles quotes

Don’t use doubles quotes anywhere in values in above yaml. In above example, it is written set to “true” - the value is true and not “true”.

Step 2 Update the Kubernetes secret in the namespace of that cluster using the above file.

kubectl apply -f <secret-filename>.yaml -n fiddler

Step 3 Update the Helm variable fiddler.auth.sso.provider and fiddler.auth.sso.azuread.secretName with azuread and fiddler-sso-azuread-credentials value. If you are using the helm values file, use the following settings.

fiddler:  
  auth:  
    sso:  
      provider: azuread  
      azuread:  
        secretName: fiddler-sso-azuread-credentials

📘 Once the deployments are updated, the new SSO settings will be applied.

Troubleshooting

  • If users are suddenly unable to log in to Fiddler, despite it working previously, check whether the client secret has expired. By default, the client secret typically expires after 6 months (unless a higher value is set at the time of creation). If it has expired, generate a new one and update the Helm configuration sso-azuread-client-secret to restore SSO functionality.

OIDC
formerly Azure AD
register an application - screenshot
create a new client secret - screenshot
Masked client secret value
Configured Token Permissions includes acct, email, family_name, given_name and groups
Configured API Permissions includes Directory.Read.All, email, GroupMember.Read.All, offline_access, openid, profile and User.Read
Under Implicit Grant and Hybrid Flows, 'Access tokens' and 'ID tokens' are enabled. Under Supported Account Types, 'Accounts in this organizational directory only' is selected.
OpenID Connect metadata Document can be found under Endpoints under the overview section.