SSO Role Mapping
Introduction
Dais allows users to authenticate using single sign-on (SSO) via external identity platforms such as Okta and Azure Active Directory. Dais can also assign roles and permission to users based on information passed in from these external identify platforms.
When a user logs in to Dais using SSO, the external identity platform authenticates them using the SAML 2.0 protocol. As part of this process, the identity platform sends a SAML token to Dais, which Dais then validates and uses to log the user in instead of asking for a username and password.
These SAML tokens contain claims, which are information about the user such as their email address or the Active Directory groups they belong to. Dais can be configured to assign Dais roles and permissions (such as tester and maintainer) to users based on the claims passed in from the external identity platform.
Supported SSO Providers
Currently role mapping is only supported fro Azure Active Directory.
Configuring Azure Active Directory
To set up and configure SAML for Azure Active Directory, please refer to the following literature:
- Azure Active Directory - Fundamentals
- Azure Active Directory - SSO SAML Protocol
- Azure Active Directory - SAML Tutorial
The dais-activedirectory-integration-guide-v1.1.0 also describes how to configure Active Directory with Dais. Please contact the Dais Team to obtain this document.
Configuring Dais SSO Config
The role mappings are configured in the Role Mappings section of the Dais SSO Portal Mapping resource. Multiple mappings can be specified, with later mappings taking precedence over previous mappings.
Match From Keyspecifies the Dais user profile key to use for the mapping. For example, this could be a profile key representing an email address or Active Directory group.Match Value– the value of the profile key to apply specific roles and permissions for. For example, this could be the name of an email address, or the ID of an Active Directory group. This is compared against the value resolved by looking upMatch From Keyin the Claims object returned from the SSO IdP. If this value matches, the roles and permissions in this row will be applied.- If the value resolved by
Match From Keyis an array,Match Valuewill be compared against each entry in the array, matching if it equals any value in the array. - To match any value for a key, use a wildcard:
*.
- If the value resolved by
User Group– an additional Dais user group to add the user to. Note: this will not override the existing list of user groups the user is part of. Instead, it will add the user to the specified groups if they are not already part of them.App Roles Project Id&App Roles Permission Name– the Project ID and the role IDs representing the Dais application roles to assign to the user. Project IDs can be determined from the application URL as follows: https://portal/app/appId. Role IDs can be determined by looking at the ID column in the Roles table in the App Admin App Permissions screen. Note: this will override any existing roles the user has for the specific applications.Maintainer&Tester– the Project ID that the user should be an App Maintainer or an App Tester of. Note: this will not override the existing maintainers/testers of an application or override the list of apps the user is currently a maintainer of.
Note: The below examples are for Dais versions < v2.18, where SSO is configured via sso-config.yaml
Example 1 – Role Mapping based on Active Directory Group
Set up a groups SAML claim that uses the Active Directory group IDs assigned to the user by following the guide here, then update the profile and roleMappings sections of the file as follows:
profile:
email: email
firstName: firstname
lastName: lastname
# Map the Active Directory ‘groups’ SAML claim property to a Dais user property:
groups: groups
# Map SAML claim properties to Dais roles and permissions:
roleMappings:
- mapFromKey: groups
mapTo:
- matchValue: <groupId>
portalRole: <portalRole>
userGroups:
- <usergroup>
appRoles:
<appId>:
- <appRoleId>
maintainer:
- <appId>
tester:
- <appId>
To match multiple group IDs:
profile:
email: email
firstName: firstname
lastName: lastname
# Map the Active Directory ‘groups’ SAML claim property to a Dais user property:
groups: groups
# Map SAML claim properties to Dais roles and permissions:
roleMappings:
mapFromKey: groups
- mapTo:
- matchValue:
- groupId1
- groupId2
portalRole: <portalRole>
userGroups:
- <usergroup>
appRoles:
<appId>:
- <appRoleId>
maintainer:
- <appId>
tester:
- <appId>
To apply base roles and permissions for all groups, then specific roles and permissions for certain groups:
profile:
email: email
firstName: firstname
lastName: lastname
# Map the Active Directory ‘groups’ SAML claim property to a Dais user property:
groups: groups
# Assign all groups the “creator” portal role by default but make users in “groupId1” and “groupId2” admins.
roleMappings:
- mapFromKey: groups
mapTo:
- matchValue: "*"
portalRole: creator
- matchValue:
- groupId1
- groupId2
portalRole: admin
Example 2 – Role Mapping based on User Email
profile:
email: email
firstName: firstname
lastName: lastname
# Any user with either of the specified email addresses will be made a portal admin
roleMappings:
- mapFromKey: email
mapTo:
- matchValue:
- admin-user1@company.com
- admin-user2@company.com
portalRole: admin
Example 3 – Role Mapping based on Active Directory Group & User Email
profile:
email: email
firstName: firstname
lastName: lastname
# Map the Active Directory ‘groups’ SAML claim property to a Dais user property:
groups: groups
# Members of ‘groupId1’ will be portal creators, but one user with a specific email address will be an admin
roleMappings:
- mapFromKey: groups
mapTo:
- matchValue: groupId1
portalRole: creator
- mapFromKey: email
mapTo:
- matchValue: admin-user@company.com
portalRole: admin