Is it possible to read user’s administrative units from Azure AD (oidc Identity provider) and store as attribute?
End goal is for JWT to include information about user's Administrative units and/or Organization units (if possible).
In theory: Azure ID needs to add user’s administrative units into OIDC claim. Then configure Keycloak Identity Provider mappers and map that claim into Keycloak entity (user attribute/role/...). Then Keycloak clients can use it in their own mappers configuration.
Related
I am building an application which will use Azure B2C as the identity system. It will include some local accounts, and some federated accounts for Enterprise SSO logins.
The application will have “application tenants”, representing customer organization/company.
I’d like a user to be able to grant users access to one or more application tenants (in case some users will manage multiple company accounts within the app).
There will also be multiple roles within the app (e.g. read only, full admin).
What is the recommended way to map a B2C User to “app tenants” and roles?
Create AAD group per tenant and role and check membership?
Custom attribute for tenantid(s)?
Or must I map users to tenants & roles in app DB/ outside of B2C?
Is this scenario described in any docs that might point me in the right direction?
Thanks!
We implemented SSO on Snowflake and with SCIM, we're able to provision users in Snowflake
Now, I want it to work like SQL Server authentication where I can add users to the same AD group and create a single login on SQL Server for this AD group. To revoke login permissions I just remove the user from the AD group. To give a new person access I just add them to it.
I would like also to map a role to a group, so, for instance, if I could link an Azure AD Group to a Snowflake Role [Read-Only User for Database X], as soon as I'm adding a user Y in Azure AD Group, this user Y will have automatically read-only access to Database X
Is it possible ?
Regards,
This same concept is possible in Snowflake as well with SAML SSO (for authorization) and SCIM (to sync users and their corresponding roles to SF). The details for this are here:
https://docs.snowflake.com/en/user-guide/admin-security-fed-auth-configure-idp.html
https://community.snowflake.com/s/article/HOW-TO-Setup-SSO-with-Azure-AD-and-the-Snowflake-New-URL-Format-or-Privatelink
https://docs.snowflake.com/en/user-guide/scim-azure.html
Both these together will ensure that the user created on Azure AD will be possible to login with the AAD credentials and the SCIM will ensure that the relevant role management is on the AAD side which is reflected exactly as-is on the SF side.
I have registered an app in AAD and as a admin I want to provide permission for user to read or access the data of particular group list not all group available in my MS team account. How can be achieve this any idea?
No. Azure AD app doesn't provide such a feature that scopes Microsoft Graph application permissions to specific Microsoft Teams/Groups.
The client credential flow is used to as an authorization grant typically when the client is acting on its own behalf. When you give Group.Read.All or Files.Read.All or other similar application permissions, it means the client has access to all the files/groups across the entire tenant.
You can achieve this by implement the business logic in your code. For example, providing a configuration file which includes the particular groups'/teams' object ids. And then restrict the access for users to only these groups/teams by checking if the object ids (which users are trying to access) are in the configuration file.
I have setup Single-Sign on (SSO) using keycloak and saml/OpenID broking between a web application (using Kibana for testing) and IDP Azure AD.
Created few users and groups in Azure AD. Also configured attribute mapping to map the user/group roles from Azure AD to keycloak by following the below link,
https://keycloak.discourse.group/t/getting-groups-from-azure-active-directory-idp/590
I need to map the same user/groups roles to Kibana application as well. My requirement is while a user logs into Kibana using the Azure AD - Keycloak Single-Sign On authentication, he should be able to login using the same Azure AD user/group privileges, So there is no need to create separate user/group roles in Kibana.
Is it possible to configure it? Please suggest.
What you are looking for is group claim.
For group claim, you could add the users into different security Groups and include Groups claim in your token. You just need to modify the "groupMembershipClaims" field in application manifest:
"groupMembershipClaims": "SecurityGroup"
Then the token will contain the Ids of the groups that the use belongs to like below :
{
"groups": ["{group id}"]
}
App role can implement the same thing for you.
I have an app that supports SAML 2.0. I want to configure Azure AD as Id Provider. I want to store my SP's unique identifiers in Azure AD user profiles. I could not find how to do that.
More specifically, I am able to select any of the user profile attributes as the value for NameId in the SAML response. But I do not want to use Azure AD standard user profile attributes. I could set up user.extensionattribute1 but where can I set the value for this attribute?
Note:
1. I am using trial Azure AD with Office 365 subscription. I am able to set up Azure AD as a SAML-based SSO Id Provider.
1.Navigate to Azure Active Directory > Enterprise applications and select the application from the list.
2.Under the Manage section, select Single sign-on.
3.Select SAML. The Set up Single Sign-On with SAML - Preview page appears.
You can configure User attributes and claims here.
Reference:
https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-single-sign-on-non-gallery-applications