We have confirmed with TIBCO support that SSO with data sources via Information Link doesn't work with Azure AD due to an limitation on Azure AD side.
To SSO with the data source (in this case Snowflake), it is required to issue an access token from OIDC provider with api scope (e.g. api://32197c29-77e0-4362-8085-9f7ab235fe5a/session:role-any, required by Snowflake), so we need to add this api scope to "OpenID Connect" page of uiconfig, together with all 3 default OIDC scopes "openid email profile". However Azure AD doesn't allow tapi scope be specified together with OIDC scopes (see below links). Doing so will end up with an access token being issued only for the api scope, so login to Spotfire would always fail.
https://learn.microsoft.com/en-us/answers/questions/1165308/i-want-access-tokens-with-multiple-scopes-includin
https://stackoverflow.com/questions/75281958/i-want-access-tokens-with-multiple-scopes-including-http
We hope TIBCO can improve Spotfire so as to work around this limitation by Azure AD due to that almost all of our customers are using Azure AD if OIDC authentication is necessary.
A possible solution could be developing another CustomCredentialsProvider (similar to currently available TokenCredentialsProvider) and issue access token from Azure AD with api scope required by data sources.
Implemented in | 12.5 |