Excerpt |
---|
This guide explains how to set up Squirro Single Sign-On with Azure Active Directory (AAD). |
...
Log in to the Azure Active Directory Admin Center.
Navigate to Enterprise applications.
Click New application.
In the resulting list, search for Azure AD SAML Toolkit and select that application.
Enter a descriptive name e.g., “Squirro” and confirm by clicking Create.
Note: if the Create button remains greyed out, your organization does not have the requisite Azure AD subscription.The Enterprise Application detail view is now opened.
Configure Single Sign-On (SSO)
Navigate to Properties in the left hand navigation.
Upload the Squirro logo – or an alternate project logo.
Press the Save button.
In the left navigation click on Single sign-on.
Select SAML.
Press Edit in the Attributes & Claims section.
Enter the following values:
Identifier (Entity ID):
https://sso.squirro.com/o/saml2/entity
Note: If this creates a conflict due to the same Entity ID already being used, it can be changed to any other value. In that case make sure to also insert the same value later in the Squirro configuration.Reply URL:
https://<squirro_server>/sso/callback
Sign on URL:
https://<squirro_server>
To send the users' group memberships to Squirro click the Add a group claim button in the toolbar. Refer to the official Configure group claims for applications by using Azure Active Directory for details on this. One common option is to use Groups assigned to the application and select the Group ID source attribute.
Back on the Single Sign-on overview page download the Federation Metadata XML file.
Configure Squirro
To configure SAML Single Sign-On with the federation metadata file, go to the Server space in Squirro and in the navigation on the left select Single Sign-On (SAML).
Press the red plus button on the top right. Fill out the form:
Domain:
*
Enabled: Check
Entity ID: Use the same Entity ID as provided to AAD earlier. If you used the default, then you can leave this empty.
Metadata file: upload the Federation Metadata XML file that was obtained from AAD earlier.
Certificate file: can be left empty.
User group: Select a Squirro user group which should be assigned to all SSO users - this is optional.
Group names field: if sending group claims then put in the value
http://schemas.microsoft.com/ws/2008/06/identity/claims/groups
(this should correspond to the claim name given for the group claim in AAD).Mapping of groups to Squirro roles:
This defines the server-wide permissions for SSO users based on the group names that were retrieved from the claims. If using the Group ID source attribute this will refer to the Object Id of the relevant group.
Example value:72b6ff2e-a56d-4398-9f80-283266e12f00=admin; 2d361d77-1610-4a47-81b9-124f6cce8e8b=user; reject
This example gives admin rights to all users in a administrator group (72b6ff2e-a56d-4398-9f80-283266e12f00) group, normal access to all users in a user group (2d361d77-1610-4a47-81b9-124f6cce8e8b) and rejects all other logins.If you are going to use the Microsoft Outlook integration, Squirro needs to map the user’s object identifier. This can be achieved by providing the following configuration in Fields to map in as user values:
Code Block language text msExchMailboxGuid = http://schemas.microsoft.com/identity/claims/objectidentifier
...