SCIM Google Workspace Snowflake - snowflake-cloud-data-platform

Is someone already configure Google Workspace working with Snowflake and has user automatically created (as Okta can purpose)
Thanks for the help

If GSuite support SCIM, Then One thing that you may try is Custom SCIM integration as suggested here- https://docs.snowflake.com/en/user-guide/scim-custom.html
Currently, Custom SCIM integrations are supported for identity providers that are neither Okta nor Microsoft Azure AD.
Although I've not tested this with Gsuite, you may give it a try provided Gsuite has support for SCIM.

Google Workspace supports SCIM autoprovisioning on SAML apps that are already part of their Pre-integrated SAML apps catalog, although this is not explicitly mentioned in their documentation, Automated user provisioning is available only for Supported apps:
See About automated user provisioning
Snowflake would need to work with Google Workspace to see if their solution could be added to the catalog.

Related

Why Saml is the default option for registering Salesforce as an Enterprise Application is AAD

I am trying to integrate Salesforce with AAD, so I see two available options, either Saml or OpenId Connect.. I do not know which one is better, but I prefer OpenId Connect since it seems to be more modern. So I tried to register Salesforce App in AAD and Saml was the default options, so why is Saml the default option ?! is it better or what? Please note that I am building an API and I need to allow authentication and authorization with Single Sign On.
The Azure AD app gallery contains many popular applications that are already pre-configured to work with Azure AD as an identity provider. These applications will be available in the Enterprise applications and have SAML to perform SSO. Any application which is added directly from the Gallery the default method is SAML based SSO , password based SSO etc.. which depends upon the applications.
Kindly check the difference between the App Registration and Gallery application in Azure portal from the link
In order to get more detailed explanation about SSO types and protocols kindly check the document to get more detailed explanation.
If you have any further queries kindly let me know.

Use GLPI or Centreon on ADFS or Azure AD Proxy

I am currently looking to connect ADFS with GLPI or Centreon , but I found that I can't because these two apps don't use SAML .
I am now focused on how can I connect GLPI or Centreon to Azure AD using Application Proxy to authenticate with tenant Azure AD account.
But after configuration I can't log in to the application itself ..
my main question is of GLPI or centreon are planned to work with Azure AD.
Has someone has worked on this kind of project? It will help me out to have more info.
Centreon doesn't manage Azure AD so far.
No enhancement is visible in the roadmap for this.
However, Centreon supports LemonLDAP::NG as a frontal.
There are 2 plugins available for GLPI that enable SAML authentication.
https://plugins.glpi-project.org/#/plugin/fpsaml
https://plugins.glpi-project.org/#/plugin/phpsaml
I struggled with fpsaml, the configuration was overly complex and required editing configuration files that could be overwritten IIRC. The plugin has not been updated in some time and it was last compatible with GLPI 9.1.3.
I ended up writing the phpsaml plugin using the Onelogin SAML Toolkit. Using phpsaml you can configure all SAML settings from the plugin configuration page. It is compatible up to GLPI 9.6.
You can find more info on github at
https://github.com/derricksmith/phpsaml.
I don't have previous experience in this kind of projects, but I know SAML is supported by GLPI as external auth.
You'll need to setup your apache (or whatever web server you're using to support it and GLPI config would be quite easy.

Office Add-In SSO with an AAD v1 app registration

I am developing a office add-in.
This office Add-In is supposed to retrieve the term store from SharePoint.
By following this tutorial:
https://learn.microsoft.com/en-us/office/dev/add-ins/develop/create-sso-office-add-ins-aspnet
I managed to get an access token to be used for Graph api. However the Graph does not expose any way of getting the term store. Is there a way we can generate an access token to be used with SharePoint and maintain the SSO?
It might be possible by registering an Azure AD v1 app but I could not find any documentation describing that.
I have a similar requirement, but in my research I wasn't able to find a good solution for this scenario.
I think it is probably possible to use a provider hosted SharePoint add-in. And then use the Authorization Code flow for obtaining an access token. Since the SharePoint add-in is trusted it will not require user login.
Of course this does mean the add-in needs to be deployed in SharePoint. If your Office add-in is distributed through the store this isn't really a great solution.
Hopefully there are other ways of achieving the same.
You could call SharePoint Online APIs (via REST or CSOM) with Azure Active Directory Apps. To call APIs secured by Azure AD, your app must acquire an access token from Azure Active Directory.
Please first refer to this document for integrating applications with Azure Active Directory. Then use Azure Active Directory Authentication Library (ADAL) to easily authenticate users to cloud or on-premises Active Directory (AD), and obtain access tokens for securing API calls.

Microsoft-graph-api, SSO and ADAL mobile sdk

I have developed few iOS/Android app using Azure Ad SDK 'ADAL'.
The app works properly for SSO feature and other login mechanisms. However now I want to add 'new contact' using Azure ad access token. But I came to know that Azure ad graph is no longer supported hence latest Microsoft Graph is suggested sdk for the same.
My issue is: The most important feature according to me is the Single Sign-On feature with respect to mobile apps SDK Azure ad SDK offers API for most convenient login user experience. Thus you are free to pick account from Authenticator app (if present) or any other app in the device which is already logged in.
But Microsoft Graph SDK does not support Authenticator app available on the mobile phone. And prompts user a Login screen though he has already logged in to other app having outlook/Microsoft login
Please help me with some more information on this use case so that I can migrate to Microsoft graph from Azure Ad app.
I have a huge tradeoff as follow
1. Azure ad supports SSO but does not support Latest Graph features like: Adding new contact in 'My Contacts'
2. Microsoft Graph being Latest library/SDK has all features EXCEPT SSO.
Please provide me answers for these question of any suggestion if I am missing anything.
The Graph SDKs do not contain any helpers for authentication/authorization. For that you need to use either ADAL or MSAL to acquire tokens to use with Microsoft Graph (to instantiate a GraphClient object). Please take a look at some of our Microsoft Graph samples. [NOTE the Azure AD Graph SDK also relied on ADAL or other mechanisms to acquire tokens and does not do this for you]. Here are the iOS samples: https://github.com/search?q=ios+sample+user:microsoftgraph&type=Repositories
Also Azure AD Graph does not support personal contacts - this is ONLY supported by Microsoft Graph.
If you want to see an integrated client library, where token acquisition is implicitly taken care of as part of GraphClient instantiation then please post a request on UserVoice for this feature.
Hope this helps,

Cloud Apps and Single Sign-On (AD integration)

I've been investigating some cloud vendors and the ability to implement single sign-on with them, especially when it comes to AD (Active Directory) integration.
So far I've learned that with Azure this is possible through ADFS and the AppFabric Access Control offer.
In AWS, since it is possible to create a VPN and see EC2 instances as a natural extension of a private datacenter, I believe implementing SSO would be rather simple (not sure if I'm right on this one... Please correct me if I'm wrong).
With App Engine though, even though there is some documentation on AD synchronization (not full integration) for Google Apps, I'm struggling to find out whether AD integration would be possible... Is there any strategy for that?
Any bit of information on cloud apps and AD integration will be appreciated!
App engine apps can only call out to other services using HTTP or HTTPS, so you could not directly query an AD server. Of course, I'm sure you could build a simple HTTP/LDAP bridge if one does not already exist.
UPDATE: oops, I forgot about SDC,or Secure Data Connector. It is not exactly a HTTP/LDAP bridge, but can provide a bridge between your intranet and your Google App Engine app.
You typicially don't need communication between the application (in this case running in GAE) and AD.
You would, instead, get a security token from and STS (ADFS) and then send the token to the app that is would be configured to accept and trust those tokens.
I'm not familiar w/ GAE but assuming it accepts SAML tokens and understands WS-Federation, you can achieve SSO without ever exposing AD or synchronizing any information between AD and GAE (using ADFS for example)
This is a classic identity federation scenario.

Resources