Contents


Entra ID Configuration

App Registration

  • Redirect URI: https://<starrocks-url>/api/oauth2
  • Manifest: "acceptMappedClaims": true

Claims Transformation (Enterprise App → SSO → Attributes & Claims)

Option 1: Extract()

FieldValue
Namestarrocks_user
Namespaceempty
SourceTransformation
TransformationExtract()
ModeBefore matching
Parameter 1user.userprincipalname
Value@ (regular users) or # (guest users)

Option 2: RegexReplace()

FieldValue
Namestarrocks_user
Namespaceempty
SourceTransformation
TransformationRegexReplace()
Parameter 1Attribute: user.userprincipalname
Regex pattern^(?<username>[^@#]+)[@#].*$
Replacement pattern{username}
Output if no matchAttribute: user.userprincipalname

Tip

RegexReplace() handles both @ and # in a single regex, while Extract() requires choosing one separator.

Result (both options):

  • user@domain.comuser
  • user_domain.com#EXT#@tenant.onmicrosoft.comuser_domain.com

StarRocks fe.conf

oauth2_auth_server_url=https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize
oauth2_token_server_url=https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token
oauth2_client_id=<client-id>
oauth2_client_secret=<client-secret>
oauth2_redirect_url=https://<starrocks-url>/api/oauth2
oauth2_jwks_url=https://login.microsoftonline.com/<tenant-id>/discovery/v2.0/keys
oauth2_principal_field=starrocks_user
oauth2_required_issuer=https://login.microsoftonline.com/<tenant-id>/v2.0
oauth2_required_audience=<client-id>

StarRocks SQL

CREATE USER `username` IDENTIFIED WITH authentication_oauth2;

Important

Users must have IDENTIFIED WITH authentication_oauth2, otherwise OAuth login fails with “Login name X is not matched to user Y”.


Troubleshooting

ErrorFix
AADSTS50146Set acceptMappedClaims: true in Manifest
invalid user name: user@domain.comUse claims transformation to remove @
Login name X is not matched to user YRecreate user with IDENTIFIED WITH authentication_oauth2