Single Sign-On (SSO) Integration¶
The FAB Auth Manager supports Single Sign-On (SSO) through OAuth2 providers. This guide shows how to configure SSO with various OAuth2 providers such as Google, Okta, Azure Entra ID, and others.
This guide shows how to configure SSO with the FAB Auth Manager using a generic OAuth2 provider. The process is similar for providers such as Okta, Azure Entra ID, Google, or Auth0.
Prerequisites¶
- Apache Airflow installed and running with FAB Auth Manager 
- Access to an OAuth2 SSO provider (e.g., Google, Okta, Auth0, Azure Entra ID) 
- Admin access to Airflow and your SSO provider 
Note
For provider-specific authentication setup (obtaining client IDs, secrets, etc.), refer to the relevant provider documentation:
- Google: Google OpenID authentication and Google Cloud Connection 
- Microsoft Azure: Microsoft Azure Connection 
Configuration Steps¶
- Enable the FAB Auth Manager - Add the following to your - airflow.cfg(or set as env var):- [webserver] auth_manager = airflow.providers.fab.auth_manager.fab_auth_manager.FabAuthManager - This replaces the default - SimpleAuthManager.
- Install Required Packages - If not already installed, ensure the FAB provider is available: - pip install 'apache-airflow-providers-fab' - Note - The FAB Auth Manager provider is not installed by default in Airflow 3. You must install it explicitly to use OAuth2-based SSO. 
- Configure OAuth2 Provider - FAB Auth Manager reads provider configuration from the - [fab]section of- airflow.cfgor from environment variables.- Option A: Environment Variables (Recommended) - export AIRFLOW__FAB__OAUTH_PROVIDERS='[{ "name": "generic", "icon": "fa-circle", "token_key": "access_token", "remote_app": { "client_id": "your-client-id", "client_secret": "your-client-secret", "api_base_url": "https://provider.com/oauth/", "request_token_url": null, "access_token_url": "https://provider.com/oauth/token", "authorize_url": "https://provider.com/oauth/authorize" } }]' - Option B: Configuration File - Add to your - airflow.cfg:- [fab] oauth_providers = [ { "name": "generic", "icon": "fa-circle", "token_key": "access_token", "remote_app": { "client_id": "your-client-id", "client_secret": "your-client-secret", "api_base_url": "https://provider.com/oauth/", "request_token_url": null, "access_token_url": "https://provider.com/oauth/token", "authorize_url": "https://provider.com/oauth/authorize" } } ] - Adjust these values according to your provider’s documentation. 
- Restart Airflow Webserver - airflow webserver --reload 
- Test SSO Login - Open the Airflow UI. You should see a login option for your SSO provider. 
Provider Examples¶
Okta
export AIRFLOW__FAB__OAUTH_PROVIDERS='[{
   "name": "okta",
   "icon": "fa-circle",
   "token_key": "access_token",
   "remote_app": {
     "client_id": "your-client-id",
     "client_secret": "your-client-secret",
     "api_base_url": "https://your-org.okta.com/oauth2/default",
     "request_token_url": null,
     "access_token_url": "https://your-org.okta.com/oauth2/default/v1/token",
     "authorize_url": "https://your-org.okta.com/oauth2/default/v1/authorize"
   }
}]'
See also
For detailed Okta setup instructions, see the Okta OAuth2 documentation.
Azure Entra ID (Azure AD)
export AIRFLOW__FAB__OAUTH_PROVIDERS='[{
   "name": "azure",
   "icon": "fa-circle",
   "token_key": "access_token",
   "remote_app": {
     "client_id": "your-client-id",
     "client_secret": "your-client-secret",
     "api_base_url": "https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/",
     "request_token_url": null,
     "access_token_url": "https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token",
     "authorize_url": "https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize",
     "client_kwargs": {
       "scope": "openid email profile"
     }
   }
}]'
See also
For Azure app registration and OAuth setup, see Microsoft Azure Connection and the Azure OAuth2 documentation.
Google OAuth2
export AIRFLOW__FAB__OAUTH_PROVIDERS='[{
   "name": "google",
   "icon": "fa-google",
   "token_key": "access_token",
   "remote_app": {
     "client_id": "your-client-id.googleusercontent.com",
     "client_secret": "your-client-secret",
     "api_base_url": "https://www.googleapis.com/oauth2/v2/",
     "request_token_url": null,
     "access_token_url": "https://oauth2.googleapis.com/token",
     "authorize_url": "https://accounts.google.com/o/oauth2/auth",
     "client_kwargs": {
       "scope": "openid email profile"
     }
   }
}]'
See also
For Google OAuth setup and credential configuration, see Google Cloud Connection and Google OpenID authentication.
Troubleshooting¶
Common Issues
- Authentication fails after configuration: - Check Airflow and webserver logs for detailed error messages 
- Ensure all environment variables are set and exported correctly 
- Verify callback URLs in your SSO provider match your Airflow webserver URL (typically - http://your-airflow-domain/oauth-authorized)
 
- Redirect URI mismatch: - In your OAuth provider, set the redirect URI to: - http://your-airflow-domain/oauth-authorized
- For development, this might be: - http://localhost:8080/oauth-authorized
 
- Scope-related errors: - Confirm that scopes ( - openid email profileor similar) are allowed in your OAuth provider
- Some providers require specific scopes to be explicitly configured 
 
- Token validation errors: - Ensure your OAuth provider’s clock is synchronized 
- Check if your client secret matches exactly (no extra spaces/characters) 
 
- User creation issues: - FAB Auth Manager creates users automatically on first login 
- Check if your OAuth provider returns the expected user information fields 
 
References¶
Note
This example uses the Flask AppBuilder Auth Manager. If you use a different authentication manager, configuration may differ.