Configuration in values.yaml:

extraSecrets:
  custom_sso_security_manager.py: |
    import logging
    from superset.security import SupersetSecurityManager
    
    class CustomSsoSecurityManager(SupersetSecurityManager):
        def oauth_user_info(self, provider, response=None):
            logging.debug("Oauth2 provider: {0}.".format(provider))

            if provider == "azure":
                    logging.debug("Azure response : {0}".format(response))
                    me = self._decode_and_validate_azure_jwt(response["id_token"])
                    logging.debug("Parsed JWT token : {0}".format(me))
                    return {
                        'name' : me['name'],
                        'email' : me['email'],
                        'id' : me['oid'],
                        'username' : me['email'],
                        'first_name': me.get('given_name', ''),
                        'last_name': me.get('family_name', ''),
                        'role_keys': me.get('roles', []),
                    }

configOverrides:
  superset_config.py: |
    from custom_sso_security_manager import CustomSsoSecurityManager
    CUSTOM_SECURITY_MANAGER = CustomSsoSecurityManager

    ENABLE_PROXY_FIX = True
  enable_oauth: |
    from flask_appbuilder.security.manager import (AUTH_DB, AUTH_OAUTH)
    from os import environ

    AUTH_TYPE = AUTH_OAUTH

    AAD_TENANT_ID = environ.get("AAD_TENANT_ID")
    AAD_CLIENT_ID = environ.get("AAD_CLIENT_ID")
    AAD_CLIENT_SECRET = environ.get("AAD_CLIENT_SECRET")

    OAUTH_PROVIDERS = [
        {
            "name": "azure",
            "icon": "fa-windows",
            "token_key": "access_token",
            "remote_app": {
              'api_base_url': f"https://login.microsoftonline.com/{AAD_TENANT_ID}",
              'request_token_url': None,
              'request_token_params': {
                'scope': 'openid email profile'
              },
              'access_token_url': f"https://login.microsoftonline.com/{AAD_TENANT_ID}/oauth2/v2.0/token",
              "access_token_params": {
                'scope': 'openid email profile'
              },
              'authorize_url': f"https://login.microsoftonline.com/{AAD_TENANT_ID}/oauth2/v2.0/authorize",
              "authorize_params": {
                'scope': 'openid email profile'
              },
              'client_id': f"{AAD_CLIENT_ID}",
              'client_secret': f"{AAD_CLIENT_SECRET}",
              'jwks_uri': 'https://login.microsoftonline.com/common/discovery/v2.0/keys'
            }
        }
    ]

    # Will allow user self registration, allowing to create Flask users from Authorized User
    AUTH_USER_REGISTRATION = True
    # The default user self registration role
    AUTH_USER_REGISTRATION_ROLE = "Gamma"

    AUTH_ROLES_SYNC_AT_LOGIN = True

    # First you MUST create a role like"Admin with value Admin" in the App Registration "App Roles" section in the Azure Portal under Microsoft Entra ID.
    # Then groups MUST be linked from the Microsoft Entra ID "Enterprise Application" section in the Azure Portal under the "Users and Groups" section.
    # Each groups or users MUST be assigned a role e.g.: Admin, Op, Viewer in the "Users and Groups"
    AUTH_ROLES_MAPPING = {
        "Admin": ["Admin"],
        "Operator": ["Alpha", "sql_lab"],
        "Alpha": ["Alpha"],
        "Gamma": ["Gamma"],
        "Public": ["Public"]
    }

configMountPath: "/app/pythonpath"
extraConfigMountPath: "/app/configs"