Introduction
OneLogin only allows a single group to be assigned per user. This article explains how to configure the SAML attributes that are required for provisioning. Although there's alternative way (ex. a directory service) to dynamically set the memberOf
attributes, the process below illustrates how to configure these fields.
DataSet Configuration
Click the User Menu → "Manage Users and Teams" → "Users" → "Advanced Configuration." This is the /scalyr/logs
configuration file. Here are the groups that SAML provisioning will use to assign user permissions for our account. Please note:
- The
externalAliases
field (of thegroups
section) is correlated with the OneLogin groups - The
users
section (above thegroups
section, presently empty) is necessary to ensure that new users are provisioned - We recommend allowing username / password logins for ease of use during this phase of the configuration — this can always be disabled later
{
users: [
],
groups: [
{
name: "Administrators",
permissions: "full",
"externalAliases": ["admins"]
},
{
name: "Users",
permissions: "user",
"externalAliases": ["users"]
},
{
name: "Limited",
permissions: "readLog",
"externalAliases": ["noedit"]
}
]
}
OneLogin Configuration
1. Click "Users" → "Groups"
2. Add groups as needed. For simplicity, I chose the "Default" security policy.
3. Once the groups have been created, associate your users with the groups by clicking "Users" → "Users" → "Authentication." Choose the group from the "Group" dropdown:
4. Click "Users" → "Mappings". We will use mappings to set the OneLogin MemberOf
variable to the group associated with the user:
Be sure to click the "Reapply all Mappings" button (at the top of the "Mappings" page) when you are done for these changes to take effect.
1. Click "Applications" → choose the Scalyr application → "Parameters" → (+) button (New Field)
2. Define the "memberOf" attribute and click "Save." Be sure to check the "Include in SAML assertion" flag.
3. A dropdown list is displayed for the value, choose the MemberOf
mapping:
4. Click "Save" again
5. The memberOf
attribute you created should now be associated with the Scalyr application:
6. Confirm that new users are provisioned when signing in with SAML, and are created with the permissions defined by the groups within the /scalyr/logs
configuration file
Comments
0 comments
Please sign in to leave a comment.