TVL Managed Superset
Get started

Configure SSO OIDC on Apache Superset

Tutorial to configure OIDC authentication on Apache Superset: Keycloak, Auth0, Okta, Google. Step-by-step.

· Tuvalu Tech OÜ

SSO OIDC has become the modern authentication standard. Apache Superset natively supports OIDC via Flask-AppBuilder. This guide details the configuration with the main providers (Keycloak, Auth0, Okta, Google) in 2026.

1. Why OIDC?

  • Centralized deprovisioning: a leaving employee loses access everywhere immediately;
  • Centralized MFA on the IdP;
  • Unified login audit;
  • No password to manage in Superset.

If you want pre-configured SSO, TVL Managed Superset integrates OIDC via managed Keycloak by default on Pro+ instances.

2. IdP prerequisites

  • An OIDC-compatible IdP (Keycloak, Auth0, Okta, Google Workspace, Microsoft Entra ID);
  • An OIDC client created with:
    • Type: web app or regular web;
    • Redirect URI: https://superset.example.com/oauth-authorized/oidc;
    • Scopes: openid email profile.

3. Superset configuration

In superset_config.py:

from flask_appbuilder.security.manager import AUTH_OAUTH

AUTH_TYPE = AUTH_OAUTH

OAUTH_PROVIDERS = [
    {
        "name": "oidc",
        "icon": "fa-key",
        "token_key": "access_token",
        "remote_app": {
            "client_id": os.environ["OIDC_CLIENT_ID"],
            "client_secret": os.environ["OIDC_CLIENT_SECRET"],
            "server_metadata_url": os.environ["OIDC_DISCOVERY_URL"],
            "client_kwargs": {"scope": "openid email profile"},
        },
    }
]

# Automatic account creation on first login
AUTH_USER_REGISTRATION = True
AUTH_USER_REGISTRATION_ROLE = "Gamma"

# Mapping roles from OIDC claims
AUTH_ROLES_MAPPING = {
    "superset_admin":  ["Admin"],
    "superset_alpha":  ["Alpha"],
    "superset_gamma":  ["Gamma"],
}
AUTH_ROLES_SYNC_AT_LOGIN = True

4. Keycloak-specific configuration

Discovery URL:

OIDC_DISCOVERY_URL = "https://idp.example.com/realms/myrealm/.well-known/openid-configuration"

On the Keycloak side, create a superset client in OpenID Connect mode, with valid redirect URIs and web origins.

5. Auth0 configuration

OIDC_DISCOVERY_URL = "https://<tenant>.auth0.com/.well-known/openid-configuration"

Auth0 → Applications → Create Application → Regular Web App. Copy client_id and client_secret.

6. Google Workspace configuration

OIDC_DISCOVERY_URL = "https://accounts.google.com/.well-known/openid-configuration"

Google Cloud Console → APIs & Services → Credentials → Create OAuth client ID. Authorized redirect URI mandatory.

7. Microsoft Entra ID (Azure AD) configuration

OIDC_DISCOVERY_URL = "https://login.microsoftonline.com/<tenant>/v2.0/.well-known/openid-configuration"

Entra Admin → App registrations → New registration → Single tenant (or multi-tenant if SaaS). Add a client secret.

8. Role mapping

The AUTH_ROLES_MAPPING mechanism maps IdP groups to Superset roles. The IdP must send a groups or roles claim in the access token. On Superset side, use a userinfo getter to retrieve it: 

def custom_userinfo(self, provider, response):
    # 'roles' comes from the claim returned by the IdP
    return {
        "username": response.get("preferred_username"),
        "email": response.get("email"),
        "first_name": response.get("given_name"),
        "last_name": response.get("family_name"),
        "role_keys": response.get("roles", []),
    }

USER_INFO_EDIT_DISABLED = True

This configuration is applied by default on TVL Managed Superset, which follows community best practices.

9. Security

  • Disable local login in production: AUTH_TYPE = AUTH_OAUTH without fallback;
  • MFA enforced on the IdP, not on Superset;
  • Session timeout aligned with IdP policy: PERMANENT_SESSION_LIFETIME = timedelta(hours=8);
  • HTTPS mandatory: OIDC only works with HTTPS callback in production.

10. Test

  1. Redeploy Superset with the new config;
  2. Go to https://superset.example.com/login;
  3. Click the Sign in with OIDC button;
  4. IdP authentication;
  5. Redirect to Superset, account created automatically.

11. Common pitfalls

  • Redirect URI mismatch: any difference (slash, http vs https, www) blocks the redirect;
  • Missing scope: without email, Superset can't create the account;
  • Missing groups claim: add manually in the IdP configuration;
  • Cross-site cookies blocked: align the callback domain with Superset's;
  • Persistent local session: Superset doesn't disconnect the IdP, configure single-logout on IdP side.

12. Conclusion

OIDC on Apache Superset takes 1-2 hours to set up and brings huge gains in security and access management. For any organization with more than 5 users, it's a must.

Want the benefits of Apache Superset without the friction of installation and maintenance? Deploy your instance in 3 clicks with TVL Managed Superset, hosted in Europe (OVHcloud, Roubaix, France), pre-configurable OIDC.

For more: SAML, Google SSO, Microsoft Entra SSO.