Active Directory (AD) SSO
The on-premises data gateway supports Active Directory (AD) SSO for connecting to your on-premises data sources that have Active Directory configured. AD SSO includes both Kerberos constrained delegation and Security Assertion Markup Language (SAML). For more information on SSO and the list of data sources supported for AD SSO, see Overview of single sign-on (SSO) for on-premises data gateways in Power BI.
Query steps when running Active Directory SSO
A query that runs with SSO consists of three steps, as shown in the following diagram.
Here are more details about each step:
The Power BI service includes the user principal name (UPN) for each query. The UPN is the fully qualified username of the user currently signed in to the Power BI service when the query request is sent to the configured gateway.
The gateway must map the Microsoft Entra UPN to a local Active Directory identity:
a. If Microsoft Entra DirSync (also known as Microsoft Entra Connect) is configured, then the mapping works automatically in the gateway. b. Otherwise, the gateway can look up and map the Microsoft Entra UPN to a local AD user by performing a lookup against the local Active Directory domain.
The gateway service process impersonates the mapped local user, opens the connection to the underlying database, and then sends the query. You don't need to install the gateway on the same machine as the database.
Related content
Now that you understand the basics of enabling SSO through the gateway, read more detailed information about Kerberos and SAML: