Versions Compared

Old Version 2

changes.mady.by.user Nadja Pollard

Saved on

compared with

New Version Current

changes.mady.by.user Nadja Pollard

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Connect to the SQL Diagnostic Manager Repository with the OIDC Authentication Method.

Prerequisites

  • Have Okta or Entra ID OIDC provider credentials.
  • The OIDC callback URL should be configured as http://localhost:5000/callback/
    • In Okta, configure Allowed Callback URLs as  http://localhost:5000/callback/
    • In Entra ID, configure Redirect URLs as  http://localhost:5000/callback/

Setting the OIDC callback URL for SQL DM Desktop

The OIDC callback URL for the Desktop Client is stored in the user.config file. Although it defaults to http://localhost:5000/callback/, the user can change it to any localhost URL, provided the same URL is included in the list of Allowed Callback URLs. Changes take effect after relaunching the application, which is helpful if port 5000 is already in use on a particular machine.  

Setting the OIDC callback URL for SQL DM Web Console

Configure the OIDC callback URL for SQLDM Web Console as https://[machine_name]:9295/callback/. The base of the callback URL must be the same as it was shown in the Web Console during the last step of the installer (but https).

Set your OIDC credentials

Use the OIDC Settings window to specify the OIDC credentials for when you want to enable OIDC authentication. Once specified, the credentials take effect for all Desktop Clients and Web Consoles connecting to the same SQL DM Repository.

To set your OIDC credentials

  1. Access the OIDC Settings window by selecting Image Added > OIDC Settings from the SQL Diagnostic Manager toolbar.
  2. Assign the OpenID Connect Provider. It can be a nickname for your Okta or Entra ID.
  3. Insert the Authority URL provided by the OIDC provider. It is the endpoint where the authentication process starts, typically in the format of https://login.provider.com/....
  4. Insert your Client ID (unique identifier) for the application registered with the OIDC provider.
  5. Insert your Client secret credential from the provider.
    Info
    Find your Okta or Entra ID credentials.
  6. Click Login to initiate the OIDC log in.
    • A web browser appears where you have to authenticate against the OIDC provider.
      • On valid authentication, a success message appears.
      • If the authentication fails, an unsuccessful message appears.
      • The Authentication status label displays in the wizard whether the user is Authenticated or Not Authenticated.
  7. Click Logout to log out from the current OIDC session. It clears any stored tokens or session data.
    Info
    You can log out whenever you want from the same wizard. 
  8. Click OK to save your changes in the Repository and Management Service Settings wizard.
    Tip
    • If the token expires, the next time you login, a new token is generated automatically.
    • If the authorized session is revoked by the provider, the Authentication Failed message appears, requiring you to authenticate again.

For more information, visit Okta or Entra ID.


Please note that when employing Entra ID authentication while adding a new server to SQL Diagnostic Manager, you must select or configure an Azure Profile.

Info

Components of Azure Profile are responsible for building a valid connection.

What are the service account requirements?

First of all, review the following information regarding your account requirements and ensure you meet them.

Account Permissions

The minimum permission required for Azure SQL Database is Microsoft Entra admin configured in Entra ID service principal so that full access is available for monitoring.

However, you must grant the Azure SQL Database permissions to read the Microsoft Entra ID. For more information regarding this matter, please refer to the Azure portal section of the Authorize server and database access using logins and user accounts article.

Multi-Factor Authentication

Connecting SQL Diagnostic Manager to your environment does not support service accounts requiring Multi-Factor Authentication (MFA), as continuous connection is required for service collection accounts. 
It is recommended to use generalized service accounts for configuring connection credentials rather than accounts directly linked to users. 

Info

For environments that require MFA for Entra ID users, a service account can be excluded from the MFA requirement by using an exclusion for conditional access. For guidance on how to set up exclusions for MFA, review the Use access reviews to manage users excluded from Conditional Access Policies article on Microsoft Docs.

Firewall

Keep in mind that the Microsoft Azure SQL Database is protected by a firewall, safeguarding access to your data when you create a new Azure Database. For more information on Azure SQL Firewall and how to configure it, please refer to this Microsoft documentation.
That is why it is important to allowlist the IP address of the server hosting the SQL Diagnostic Manager monitoring service via the Azure Portal.

How to select an Azure Profile?

Select your Azure Profile by following the next steps:

  1. Click the Azure Discovery Settings button.
  2. In case you have already created an Azure profile, select it from the Select an Azure Profile dropdown. Otherwise, create a new one.
    Image Removed
  3. Click OK to save your configuration.
  4. Select a server to monitor.
  5. Select the instances to monitor.

...

Create a new Azure profile by clicking Manage Azure Profile from the Azure Application Configuration wizard.

When the Azure Profiles Configuration Wizard opens, you have two sections:

  • The Application Profile adds a new profile and manages the existing profile.
  • The Azure Linked Profile indicates which Azure profile is linked with which server instance. You can also manipulate this mapping using the View/Edit and Delete buttons.

To add a new Azure profile, please follow the steps below:

  1. Click the New button in the Application Profiles section.
    Image Removed
  2. Choose a Profile Name and Description for your Azure profile from the Azure Application Profile wizard.
    Image Removed
  3. Select an Azure Subscription from the subscription dropdown, otherwise, click New and complete the following fields with the application information:
    1. Subscription ID*
    2. Description
      Image Removed
      Info

      (*) This information is mandatory. To get it from your application, follow the steps outlined in the How to get Azure Profile components? section.

  4. Click OK to save your Subscription information.
  5. Select an Azure Application from the application dropdown, otherwise, click New and complete the following fields with the application information:
    1. Application name
    2. Tenant ID*
    3. Client ID* 
    4. Secret value*
    5. Description of the Azure application
      Image Removed
      Info

      (*) This information is mandatory. To get it from your application, follow the steps outlined in the How to get Azure Profile components? section.

  6. Click OK to save your Subscription information. Review all your information. When you finish, the wizard should look like this image.
    Image Removed
  7. Click OK to save your Azure Application Profile.
  8. Click Close to close the Azure Profiles Configuration wizard.
  9. In the Azure Application configuration, select the Azure Profile you just created from the Select Azure Profile dropdown.
    Image Removed
  10. Select the instances to monitor.

...

If you do not know how to obtain your application information, such as your subscription ID, tenant ID, client ID, and secret value, we have outlined the following steps to get them.

Get your Subscription ID

  1. Log in to the Azure Portal.
  2. Get the Subscription ID by searching Subscriptions in the search bar.
  3. Copy and save the Subscription ID in a notepad or secure file.
    Image Removed

Get your Tenant ID

  1. Log in to the Azure Portal.
  2. Select the Microsoft Entra ID service.
    Image Removed
  3. Copy and save the Tenant ID from the Overview tab.
    Image Removed

Get your Client ID and Secret Value

  1. Log in to the Azure Portal.
  2. Select the Microsoft Entra ID service.
    Image Removed

  3. Navigate to the Manage node from the left side menu and select App Registration.

  4. After the creation of the app, we need to apply the Reader role to the app under Subscription > IAM > Role Assignment.
    Image Removed

  5. If you have already created your Owned App, select it, and the Overview page will display the Client ID.
    Image Removed

  6. Copy and save it.

  7. Click the secret hyperlink to obtain your Secret value if you have already created it. In case you need a secret value, you can create a new one.

  8. Copy and save your Secret Value.
    Image Removed

  9. Otherwise, you can create a new one.

...

In case you do not have the Secret ID or you have lost it, follow the steps below: 

  1. Navigate through the Manage node to the Certificates & secrets option from the Overview tab of your Owned App.
  2. Click the New client secret option.
    Image Removed
  3. Choose a description, select an expiration time from the dropdown menu, and click Add.
  4. Copy and save the Secret ID.
    Image Removed
Scroll pdf ignore
Newtabfooter
aliasIDERA
urlhttp://www.idera.com
 
Newtabfooter
aliasProducts
urlhttps://www.idera.com/productssolutions/sqlserver
 
Newtabfooter
aliasPurchase
urlhttps://www.idera.com/buynow/onlinestore
 | 
Newtabfooter
aliasSupport
urlhttps://idera.secure.force.com/
 | 
Newtabfooter
aliasCommunity
urlhttp://community.idera.com
 | 
Newtabfooter
aliasResources
urlhttp://www.idera.com/resourcecentral
 | 
Newtabfooter
aliasAbout Us
urlhttp://www.idera.com/about/aboutus
 | 
Newtabfooter
aliasLegal
urlhttps://www.idera.com/legal/termsofuse