Overview of single sign-on (SSO) for on-premises data gateways in Power BI
You can get seamless single sign-on connectivity, enabling Power BI reports and dashboards to update in real time by configuring your on-premises data gateway. You have the option of configuring your gateway with
- Active Directory (AD) SSO, which includes:
- Azure Active Directory (Azure AD) SSO.
SSO is only supported by Power BI datasets and not by Power BI dataflows.
AD SSO is usually configured for on-premises data sources which are secured within your on-premises network, while Azure AD SSO is configured for data sources that support Azure Active Directory authentication (typically cloud data sources) secured behind an Azure Virtual Network.
Power BI supports the following data sources:
- SQL Server (Kerberos)
- SAP HANA (Kerberos and SAML)
- SAP BW Application Server (Kerberos)
- SAP BW Message Server (Kerberos)
- Oracle (Kerberos)
- Teradata (Kerberos)
- Spark (Kerberos)
- Impala (Kerberos)
- Denodo (Kerberos)
- Azure Synapse Analytics (Azure AD)
- Azure SQL (Azure AD)
- Azure Data Explorer (Azure AD)
- Snowflake (Azure AD)
- Amazon Redshift (Azure AD)
- Hive LLAP (Kerberos)
- Tibco Data Virtualization (Kerberos)
When a user interacts with a DirectQuery report in the Power BI Service, each cross-filter, slice, sort, and report editing operation can result in queries that execute live against the underlying data source. When you configure SSO for the data source, queries execute under the identity of the user that interacts with Power BI (that is, through the web experience or Power BI mobile apps). Therefore, each user sees precisely the data for which they have permissions in the underlying data source.
You can also configure a report which is set up for refresh in the Power BI Service to use SSO. When you configure SSO for this data source, queries execute under the identity of the dataset owner within Power BI. Therefore, the refresh happens based on the dataset owner's permissions on the underlying data source. Refresh using SSO is currently enabled only for data sources using Kerberos constrained delegation
Now that you understand the basics of enabling SSO through the gateway, read more detailed information about Kerberos and SAML: