This documentation is for Dash Enterprise.
Dash Enterprise is the fastest way to write & deploy Dash apps and
Jupyter notebooks.
10% of the Fortune 500 uses Dash Enterprise to productionize AI and
data science apps. Find out if your company is using Dash Enterprise.
Groups are a convenient way for app owners to give app co-ownership or viewer access to many users at once. As an administrator, you can also use groups to assign roles to many users at once, but we note that we strongly recommend assigning the licensed_user
role to users directly.
If you have an external IdP that uses groups, you can map those to Keycloak to have them available in Dash Enterprise.
Prerequisite: Before mapping groups, you’ll need to have configured your IdP in Keycloak.
How to map groups varies depending on the IdP and protocol (LDAP, SAML, OIDC) you use.
Select the protocol for your IdP to get started:
SAML
To map your Microsoft Entra ID SAML groups:
<img>
Select the application you created when you configured your IdP for Keycloak.
Select Set up single sign on.
<img>
<img>
<img>
Select the type of groups you want to be available in Dash Enterprise.
For Source attribute select Group ID.
Optional: Under Advanced options, you can set up filters to limit the groups that Dash Enterprise will have access to. See the Group filtering section in Configure group claims for applications by using Microsoft Entra ID in the official Microsoft docs for more details.
Select Save. The Attributes & Claims page is displayed. Copy the claim name for groups. You’ll use this when configuring Keycloak.
<img>
Log in to Keycloak at https://auth-<your-dash-enterprise-server>
, and select Identity Providers.
Select your Microsoft Entra ID SAML configuration.
Add an Attribute to Group Mapper:
Go to the Mappers tab and select Add mapper.
In Name, enter a name for the mapper. It is the name that will be displayed in Keycloak.
Set Sync Mode Override to inherit.
Set the Mapper Type to Attribute to Group Mapper.
In Attribute Name, paste the value copied from Azure in step 9. Leave Friendly Name blank.
Set Create groups if not exists to On.
Optional: Use Contains text to only include groups that have this text in their name. You can use this for filtering if you have many groups. If your total number of users and groups is greater than 10,000, to help avoid performance issues, we recommend using this to filter out groups not relevant to Dash Enterprise.
Select Save.
If you have any users that are members of more than 150 groups, you’ll need to complete some additional steps. You’ll need to register a new application, add a client secret, configure permissions for Microsoft Graph, and grant admin consent in Microsoft Entra ID, so you can add an Azure Graph Link to Group Mapper in Keycloak. This is because Microsoft Entra ID responds with a groupLink
rather than the group values in these situations, meaning an Azure Graph Link To Group Mapper is required.
Register an Application
Register a new application on Azure.
Add a Client Secret
To add a client secret:
Configure Permissions for Microsoft Graph
To configure permissions for Microsoft Graph:
Go to Application permissions. and select Group.Read.All and User.Read.All.
<img>
<img>
Select Add permissions.
Grant Admin Consent
https://login.microsoftonline.com/<tenant-id>/adminconsent?client_id=<client-id>
with the tenant ID and client ID from the overview page.Add Azure Graph Link to Group Mapper in Keycloak
To add the Azure Graph Link to Group Mapper in Keycloak:
https://auth-<your-dash-enterprise-server>
, and select Identity Providers.Add an Azure Graph Link to Group Mapper:
From the Mappers tab, select Create.
Set the Mapper Type to Azure Graph Link to Group Mapper
In Name, enter groupLink.
Set Sync Mode Override to inherit.
For Tenant ID, add the Tenant ID displayed on your app’s overview page in Azure.
For Client ID, add the Secret ID that was displayed when you created a client secret.
For Client Secret, add the Value that was displayed when you created a client secret.
For Attribute Name, enter http://schemas.microsoft.com/claims/groups.link
Set Create groups if not exists to On.
Optional: Use Contains text to only include groups that have this text in their name. You can use this for filtering if you have many groups. If your total number of users and groups is greater than 10,000, to help avoid performance issues, we recommend using this to filter out groups not relevant to Dash Enterprise.
Select Save.
The IdP groups you mapped will only be available in Dash Enterprise once a member of the group logs in.
OIDC
To map your Microsoft Entra ID OIDC groups:
In the Azure portal, select App registrations.
Select the application you created when you configured your IdP for Keycloak.
Go to Token configuration.
Select Add groups claim.
Select the type of groups you want available in Dash Enterprise.
Under Customize token properties by type, select Group ID for both ID and Access.
We recommend using Group ID for the token property. You can use another property if you have access to it in your Azure instance.
Select Add. The Token configuration page is displayed. Copy the Claim for the groups claim.
<img>
Log in to Keycloak at https://auth-<your-dash-enterprise-server>
, and select Identity Providers.
Select your Microsoft Entra ID OIDC configuration.
Add a Claim to Group Mapper:
Go to the Mappers tab and select Add mapper.
In Name, enter a name for the mapper. It is the name that will be displayed in Keycloak for the mapper.
Set Sync Mode Override to inherit.
Set the Mapper Type to Claim to Group Mapper.
In Claim, paste the value copied from Azure in step 7.
Set Create groups if not exists to On.
Optional: Use Contains text to only include groups that have this text in their name. You can use this for filtering if you have many groups. If your total number of users and groups is greater than 10,000, to help avoid performance issues, we recommend using this to filter out groups not relevant to Dash Enterprise.
Select Save.
The IdP groups you mapped will only be available in Dash Enterprise once a member of the group logs in.
LDAP
To map your Okta LDAP groups:
In Okta, go to Directory > Directory Integrations, select your LDAP Interface and copy the Group Base DN:
<img>
Log in to Keycloak at https://auth-<your-dash-enterprise-server>
and go to User Federation.
If your total number of users and groups is greater than 10,000, to help avoid performance issues, we recommend using this to filter out groups not relevant to Dash Enterprise.
- Leave the remaining fields with their default values.
Select Save.
Optional: Perform a first sync of groups by selecting Sync LDAP Groups To Keycloak.
The IdP groups you mapped will only be available in Dash Enterprise once a member of the group logs in.
SAML
To map your Okta SAML groups:
In Okta, go to the Applications page (Applications > Applications).
Select the application you created when you configured your IdP for Keycloak.
From the General tab, select Edit in the SAML settings section.
Go to Next and in the Group Attribute Statements section, for Name enter groups, for Filter select Matches regex and enter .*
as the regex value. This returns all groups.
<img>
Go to Next and select Finish to save the group attribute.
Log in to Keycloak at https://auth-<your-dash-enterprise-server>
, and select Identity Providers.
Select your Okta SAML configuration.
Add an Attribute to Group Mapper:
Go to the Mappers tab and select Add mapper.
In Name, enter a name for the mapper. It is the name that will be displayed in Keycloak.
Set Sync Mode Override to inherit.
Set the Mapper Type to Attribute to Group Mapper.
In Attribute Name, enter groups. This is the value added in Okta in step 4. Leave Friendly Name blank.
Set Create groups if not exists to On.
Optional: Use Contains text to only include groups that have this text in their name. You can use this for filtering if you have many groups. If your total number of users and groups is greater than 10,000, to help avoid performance issues, we recommend using this to filter out groups not relevant to Dash Enterprise.
Select Save.
The IdP groups you mapped will only be available in Dash Enterprise once a member of the group logs in.
OIDC
To map your Okta OIDC groups:
In Okta, go to the Applications page (Applications > Applications).
Select the application you created when you configured your IdP for Keycloak.
From the Sign On tab, select Edit in the OpenID Connect ID Token panel.
Select Filter as the groups claim type.
For the groups claim filter fields, enter groups, select Matches regex and enter .*
. This returns all groups. For detail on other options, such as using expressions instead of filters, see the Okta documentation.
<img>
Log in to Keycloak at https://auth-<your-dash-enterprise-server>
, and select Identity Providers.
Select your Okta OIDC configuration.
Add a Claim to Group Mapper:
Go to the Mappers tab and select Add mapper.
In Name, enter a name for the mapper. It is the name that will be displayed in Keycloak for the mapper.
Set Sync Mode Override to inherit.
Set the Mapper Type to Claim to Group Mapper.
In Claim, enter groups. This is the groups claim name from Okta that you set in step 5.
Set Create groups if not exists to On.
Optional: Use Contains text to only include groups that have this text in their name. You can use this for filtering if you have many groups. If your total number of users and groups is greater than 10,000, to help avoid performance issues, we recommend using this to filter out groups not relevant to Dash Enterprise.
Select Save.
The IdP groups you mapped will only be available in Dash Enterprise once a member of the group logs in.
Note: If you are using the Auth0 Authorization extension with SAML for groups, you can map those groups into Dash Enterprise with the following steps. OIDC is not currently supported.
SAML
To map your Auth0 Authorization SAML groups:
In Auth0, go to the Applications page (Applications > Applications).
Select the application you created when you configured your IdP for Keycloak.
Go to Addons and select SAML2 Web App.
Go to the Settings tab and copy the value for “groups”.
<img>
Log in to Keycloak at https://auth-<your-dash-enterprise-server>
, and select Identity Providers.
Select your Auth0 SAML configuration.
Add an Attribute to Group Mapper:
Go to the Mappers tab and select Add mapper.
In Name, enter a name for the mapper. It is the name that will be displayed in Keycloak.
Set Sync Mode Override to inherit.
Set the Mapper Type to Attribute to Group Mapper.
In Attribute Name, paste the value copied from Auth0 in step 4. Leave Friendly Name blank.
Set Create groups if not exists to On.
Optional: Use Contains text to only include groups that have this text in their name. You can use this for filtering if you have many groups. If your total number of users and groups is greater than 10,000, to help avoid performance issues, we recommend using this to filter out groups not relevant to Dash Enterprise.
Select Save.
The IdP groups you mapped will only be available in Dash Enterprise once a member of the group logs in.
Once a group is mapped from your IdP and a member of the group has logged in to Dash Enterprise (SAML and OIDC), or you’ve synced the groups (LDAP), you’ll see that group listed on the Groups page.
<img>
To view group details, select the group. Members displays the group members. Role mapping is where you can assign and unassign roles to all the group members at once. See Assigning Roles for more information on roles.
App owners can now use groups to control app co-ownership and viewer access in the Dash Enterprise App Manager.