Introduction
DataSet has long supported SSO, and now it supports SAML provisioning so you can add users to multiple groups and/or teams directly from Azure.
Here is a step-by-step guide to implement SSO with SAML provisioning under Azure Active Directory.
Prerequisites
- Azure Active Directory
- Non Gallery App Create permissions in Azure
- "Full" Access permissions to your DataSet account
- Metadata XML file from Azure
- Support ticket to configure DataSet
Setup Azure
Step 1: Create an AAD Gallery Application
Click Azure Active Directory > Enterprise applications > New Application
Step 2: Create Non-Gallery Application
Step 3: Setup Single Sign On
Once the app is created, navigate to Single sign-on and for mode, select SAML
Step 4: Setup Basic SAML config
Fill out the two fields
- US Config
- Identifier (Entity ID) - Please contact support to obtain this value (if your org is ACME, URL will be: https://www.scalyr.com/sp?organization=acme)
- Reply URL: https://www.scalyr.com/acs
- EU Config
- Identifier (Entity ID) - Please contact support to attain this value (if your org is ACME, URL will be: https://eu.scalyr.com/sp?organization=acme)
- Reply URL: https://eu.scalyr.com/acs
- DVUS Config
- Identifier (Entity ID) - Please contact support to attain this value (if your org is ACME, URL will be: https://app.us1.dataset.com/sp?organization=acme)
- Reply URL: https://app.us1.dataset.com/acs
Step 5: Setup User Attributes & Claims
- 5.1 Setup User Claim (required)
Name Identifier Format: Email Address
Source: Attribute
Source Attribute: user.mail - 5.2 Setup Group Claim (optional, only for SAML provisioning) -
These steps are only needed if you are configuring SAML provisioning with Azure Active Directory. This will allow for provisioning groups and teams directly from Azure -- also see the steps provided with DataSet Section 2.3.1 and DataSet Section 2.3.2 below for more details.
Please refer to the screenshot below:
- The "Add a group claim" button will be grayed out since this is the default entry. Click it, and the "Group Claims" dialog will appear to the right of your screen
- From the "Group Claims" dialog, select "All groups"
- Select "Group ID" from the "Source attribute" dropdown menu
- Check the "Customize the name of the group claim" checkbox
- Specify memberOf (case sensitive) in the "Name (required)" field
Click the "Save" button
Step 6: Download the metadata.xml file and send it to support.
1. Click “Configure Scalyr” at the bottom of the panel. This will bring up a “Configure sign-on” panel on the right.
2. Click the “SAML XML Metadata” link under “Configure Scalyr for single sign on”. This will download the metadata XML file. Once it has been downloaded, send it to support@scalyr.com for configuration on our end.
Setup DataSet
Step 1: Send an email to support@dataset.com or submit a ticket here
Please include:
- Desired Org name (Guidelines can be found here)
- Whether you want to configure SAML provisioning (SSO sign-ins must be fully functional before we can configure SAML provisioning)
- The metadata.xml that was generated from Azure
If you are just setting up SSO without provisioning, that is it!
If you want dynamic provisioning, continue to the next section.
Step 2: If you continued with step 5.2 in the previous section continue here to setup dynamic provisioning
- 2.1 - Navigate to your DataSet account
- 2.2 - Navigate to your User Config Files. (EU|US)
- 2.3 - Navigate to Azure > AAD > Groups > Object ID and get the Group ID (alternate methods and more detail here)
- 2.3 - Add a group mappings (this will allow for DataSet to assign users to all teams containing the current group id as well as grant users permissions defined in the group)
Examples:- 2.3.1 - Single Account
- In this example we add two externalAlias group IDs. When a user as added to the group "full" with ID "f0468420-f6c6-4c56-bda6-7d1795564d36" and the non gallery app, she will be added to the account and inherit all permissions of the "full" group.
"groups": [
{
"name": "Full", //add a group name here
"permissions": "full",
"externalAliases": ["f0468420-f6c6-4c56-bda6-7d1795564d36"] // add group ids here
},
{
"name": "Read Log",
"permissions": "readLog",
"externalAliases": ["72bb4166-0aaa-4212-8269-266c9ecb48cf"]
}
],
- In this example we add two externalAlias group IDs. When a user as added to the group "full" with ID "f0468420-f6c6-4c56-bda6-7d1795564d36" and the non gallery app, she will be added to the account and inherit all permissions of the "full" group.
- 2.3.2 - Team Account
- In this example we have two teams. When the user is added to the group f0468420-f6c6-4c56-bda6-7d1795564d36, in team A she will inherit Full access, and in team B she will inherit read-only access
- 2.3.1 - Single Account
-
-
- Team A
"groups": [
{
"name": "Full", //add a group name here
"permissions": "full",
"externalAliases": ["f0468420-f6c6-4c56-bda6-7d1795564d36"] // add group ids here
},
{
"name": "Read Log",
"permissions": "readLog",
"externalAliases": ["72bb4166-0aaa-4212-8269-266c9ecb48cf"]
}
], - Team B
"groups": [
{
"name": "Read Log",
"permissions": "readLog",
"externalAliases": ["f0468420-f6c6-4c56-bda6-7d1795564d36"]
},
{
"name": "Full Permission",
"permissions": "full",
"externalAliases": ["72bb4166-0aaa-4212-8269-266c9ecb48cf"]
}
],
- Team A
-
Comments
0 comments
Please sign in to leave a comment.