Enable SSO Access to Azure Resources Using Delegation

Since R2023b

In MATLAB^® Online Server™, end users can run MATLAB functions to access data stored remotely in Azure^® Blob Storage resources. These functions require end users to acquire their Azure credentials in advance. Otherwise, MATLAB returns an error. You can provide MATLAB Online Server with delegated access to Azure. With Azure delegation enabled, the server acquires credentials for end users as soon as they sign in to MATLAB Online™ using their single sign-on (SSO) credentials, giving them immediate access to their remote resources.

Limitations

MATLAB Online Server supports delegation only for Azure Blob Storage resources. Delegation for other storage resources, such as Azure Data Lake, Azure File Storage, or Azure Key Vault, is not supported.

Prerequisites

You are using an OAuth 2.0 and Open ID Connect (OIDC) identity provider to authenticate user access, and you configured this access using the Microsoft^® Authentication Library (MSAL) method in MATLAB Online Server. For more details, see MSAL Authentication in MATLAB Online Server.
You have a storage account under the same account as the identity provider. This account must have blob containers available and the following Identity Access Management (IAM) roles assigned:
- Storage Blob Data Contributor
- Storage Blob Data Owner
- Storage Blob Delegator
For more details, see Assign permissions with RBAC (Azure).

Configure Authentication Service to Support Azure Delegation

Enable Azure delegation in the MATLAB Online Server authentication service by setting the appropriate values in the authnz.yaml file. The file is located at this path.

<server-root>/overrides/<cluster-name>/<namespace-name>/authnz.yaml

<server-root> is the MATLAB Online Server installation folder.
<cluster-name> is the name of the Kubernetes^® cluster.
<namespace-name> is the namespace of the MATLAB Online Server deployment.

Sample path:

~/matlab_online_server/overrides/matlab-online-server/mathworks/authnz.yaml

Under identityProviders, within the msal section, add a delegation subsection with this structure.

identityProviders:
  - id: "msal"
    type: "msal"

    # Standard MSAL Configuration
    ...

    delegation:
      azure:
        storage:
          blob:
            storageAccount: "<storage account name>"
            containerName: "<container name>"
            sasLifeTime: 8
            sasPermission: "racwdli"
            signedResource: "c"
            signedDirectoryDepth: "5"
            signedIP: ""

For details on the standard MSAL configuration, see MSAL Authentication in MATLAB Online Server.

In the storage section, under blob, configure these required fields.

Field	Description
`storageAccount`	Name of Azure storage account.
`containerName`	Name of Azure blob container.

Optionally, configure these fields to specify how to generate the shared access signature (SAS) token required for accessing Azure resources. For complete details on these fields, see Create a user delegation SAS (Microsoft).

Field	Description
`sasLifeTime`	Duration, in hours, of SAS token. Default: `8`
`sasPermission`	User permissions for blob token. Default: `"racwdli"`
`signedResource`	User permissions for resource. Default: `"c"` (container)
`signedDirectoryDepth`	Maximum directory depth of resources. This field applies only when `signedResource` is set to `"d"` (directory). Default: `"5"`
`signedIP`	Range of IP addresses that can use the SAS token for blob access. Default: `""`

Not all storage configurations from Azure are available in MATLAB Online Server. If you require additional configuration options, contact support.

Deploy Kubernetes Secret for User Credentials

To delegate SSO user access to remotely stored resources, MATLAB Online Server transmits user credentials between services in the Kubernetes cluster. Encrypt these credentials by storing them in a Kubernetes secret object and deploying the object to the cluster.

Note

If you already deployed a Kubernetes secret object for user credentials to the cluster, proceed to the next section.

Generate a random 64-bit-encoded string that the cluster can use to encrypt the user credentials. For example, this Linux^® bash script generates a random string of alphanumeric characters wrapped onto 32-character lines.
#!/bin/bash SECRET=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1) echo $SECRET echo -n $SECRET | base64

Create a file named credentials-secret.yaml and copy in the fields shown. For the credentials-secret field, replace <secret string> with the string you generated in the previous step. Save the file in any location on the Kubernetes cluster.

`credentials-secret.yaml`
apiVersion: "v1" kind: "Secret" metadata: name: "credentials-secret" data: credentials-secret: "<secret string>"

Deploy the secret to the Kubernetes cluster. Replace <namespace-name> with your MATLAB Online Server namespace.
```
kubectl apply -f credentials-secret.yaml --namespace <namespace-name>
```

Enable Azure Support on Server

Enable Azure support across all services by setting the appropriate values in the all.yaml file. The file is located at this path.

<server-root>/overrides/<cluster-name>/<namespace-name>/all.yaml

In the global section, add a delegation section with this structure.

global:
  tls:
    enabled: true
 
  delegation:
    providers:
      - type: "azure"
        enabled: true
    secretFile:
      mountPath: "/etc/credentials-secret-volume/"
      name: "credentials-secret"

Configure these fields.

Field Required or Optional Description

Field	Required or Optional	Description
`providers`	Required	Delegation provider. To enable Azure delegation, `type` must be `"azure"` and `enabled` must be `true`.
`secretFile`	Optional	Full path to the secret file used for securely transmitting Azure credentials within the MATLAB Online Server cluster. `mountPath` specifies the location to which you deployed the secret. The default mount path is `"/etc/credentials-secret-volume"`. `name` is the name of the secret file, as determined by the name field of `credentials-secret.yaml`. The default name is `credentials-secret`, as shown in the `name` field specified in the Deploy Kubernetes Secret for User Credentials step. If you do not change the default values, then you can omit the `secretFile` section.

providers

Required

Delegation provider. To enable Azure delegation, type must be "azure" and enabled must be true.

secretFile

Optional

Full path to the secret file used for securely transmitting Azure credentials within the MATLAB Online Server cluster.

mountPath specifies the location to which you deployed the secret. The default mount path is "/etc/credentials-secret-volume".
name is the name of the secret file, as determined by the name field of credentials-secret.yaml. The default name is credentials-secret, as shown in the name field specified in the Deploy Kubernetes Secret for User Credentials step.

If you do not change the default values, then you can omit the secretFile section.

Deploy Changes to Server

To apply your changes, undeploy and redeploy the server.

./mosadm undeploy
./mosadm deploy

These changes take effect for each user the next time they sign in to MATLAB Online with their single sign-on credentials.

For an example of how end users can access their remote data, see Work with Remote Data. When delegation is enabled, end users do not have to follow the instructions on setting up access and setting environment variables for their credentials.