Integrating Weights & Biases with Single Sign-On (SSO) using Azure AD and OIDC
Learn how to integrate W&B with AzureAD and OIDC in this step-by-step tutorial
Created on March 28|Last edited on September 25
Comment
Ensuring secure and efficient access to tools is paramount for teams and organizations building real-world ML. The W&B platform for machine learning experiment tracking, model optimization, and dataset versioning, offers robust solutions tailored to meet diverse operational and security needs.
This article provides a high-level overview of W&B's deployment mechanisms, its authentication recommendations, and detailed instructions on setting up federation with Azure Active Directory (Azure AD) using OpenID Connect (OIDC).
Let's get started.
Understanding W&B's deployment options
W&B caters to a wide array of organizational needs through three primary deployment options: Public Cloud, Private Cloud, and Dedicated Cloud.
- Public Cloud: This is the most straightforward and popular option, requiring no infrastructure maintenance or Site Reliability Engineering (SRE) overhead. It's ideal for teams seeking quick onboarding and minimal operational complexity.
- Private Cloud: For organizations with specific privacy, security, or compliance requirements, the Private Cloud option allows W&B to run on your infrastructure, giving you control over your data and environment.
- Dedicated Cloud: The Dedicated Cloud offers an isolated infrastructure for security-conscious companies, providing advanced security features and compliance capabilities while still minimizing the need for in-house infrastructure management.
Each of these deployment options is designed to align with different organizational requirements, ensuring flexibility and scalability.
Before we dig into the integration process, it's important to understand the types of applications that can benefit from W&B's features.
A common example is a single page application (SPA). SPAs are web applications or sites that interact with the user by dynamically rewriting the current page rather than loading entire new pages from the server. This approach makes SPAs highly responsive and capable of delivering a more fluid user experience. Mozilla Developer Network offers a comprehensive overview if you'd like more information on SPAs.
Centralized authentication: The recommended approach
To streamline access and enhance security, W&B supports centralized authentication through federation with an enterprise identity provider.
This approach allows IT or platform administrators to control access, enforce password policies, and mandate multi-factor authentication (MFA), among other security measures. W&B natively supports OpenID Connect (OIDC) and Lightweight Directory Access Protocol (LDAP) for server deployment types. Additionally, for organizations with specific needs, W&B can also facilitate SAML integration.
We've mentioned it a few times, but let's take a moment to understand OpenID Connect (OIDC). OIDC is an authentication layer on top of OAuth 2.0, an authorization framework, that allows clients to verify the identity of the end-user based on the authentication performed by an authorization server, as well as to obtain basic profile information about the end-user in an interoperable and REST-like manner. OIDC is widely adopted for modern authentication scenarios, particularly for web and mobile applications. The OpenID Foundation provides extensive resources for a detailed understanding of OIDC.
Prerequisites
For the purposes of this configuration, you'll need two things:
- An active Azure AD instance
- Administrative access to both your Azure AD portal and your W&B account
Configuration Steps
Click on "New Registration" and provide the following information
- Name for your app
- Select what tenant/directory matches that your needs
- Redirect URL:
- "Single Page Application" (Note: this is very important!)
- URL: https://${WANDB_BASEURL}/oidc/callback
Ensure that you choose a Single-page application (SPA) otherwise, the SSO configuration won't work
💡
Once you register your application, you will be redirected to the App Registration overview.
The next step is to enable the OIDC authorization flows, so you need to click on "Authentication" and input the following information.
1. Logout: https://<WANDB URL>/logout (optional)
2. Check the "Access tokens (used for implicit flows)" and "ID tokens (used for implicit and hybrid flows)" (required)
You can see that below:
As an optional step, click on Branding and Properties to provide more information about the W&B application.
By default, the "App Registration" has the OIDC scopes required by W&B, so you don't need to worry about adding additional configuration.
The next step her is gathering information from your app in Azure and configuring W&B. W&B requires the "Client ID" and the "Issuer URL" to configure the SSO and to find this information, you need to follow these steps:
Click on Overview, then copy the "Application (client) ID." This is the "Client ID" required by W&B configuration.
Next, click on "Endpoints" and copy the "OpenID Connect metadata document." This is the Issuer URL required for the W&B configuration.
You may want to navigate to "Enterprise Applications" in the Azure Portal and, from there, grant "Users" or "Groups" access to this application. By default the whole directory has access to the Application.
To configure W&B, navigate to "System Settings (https://${WANDB_BASEURL}/system-admin/)" and inform the SSO data you gathered on the previous step
- Switch "Enable SSO"on
- Inform the "OIDC Client ID" and "OIDC Issuer"
- Click "Update Settings" at the bottom of the page
It may take a few minutes for the new container to be created, and the SSO will be configured.
Once completed, you can log in, clean the browser cache and cookies, and test the authentication via SSO.
Conclusion
We hope this tutorial helps you integrate W&B with AzureAD. If you have any questions at all, please don't hesitate to contact support@wandb.com and we can help you out. Thanks for reading!
Add a comment
Iterate on AI agents and models faster. Try Weights & Biases today.