SSO AzureAD Query

Solved1.42K viewsAzure AzureAD SAML SSO
3
0 Comments

Hello Dojo!

Looking for some SSO/AzureAD expertise, if someone can advise on the following please;

Q: We don't have the Azure AD element from this doc in our XML, but it works so is it required? And what are we missing out when its not there?

using the documentation: https://docs.dataminer.services/user-guide/Advanced_Functionality/Security/Advanced_security_configuration/Configuring_external_authentication_via_an_identity_provider_using_SAML.html#configuring-dataminer-to-import-users-and-groups-from-azure-ad

Marieke Goethals [SLC] [DevOps Catalyst] Selected answer as best 13th October 2023

2 Answers

3
7.49K 2 Comments

Hi Wil,

There are indeed 2 things you can do with AzureAD. The first is using AzureAD for authentication, I guess that's what you're already doing, being able to log in with your Azure AD account in DataMiner. The second thing is related to provisioning your users and groups in DataMiner. If you want to be able to pick an existing user or group from AzureAD in the Users and Groups page of System Center in Cube, you need to make sure DataMiner can connect to AzureAD to query the existing users and groups. Alternatively, you could use auto-provisioning or manually add them.

If you want to configure and use this second part, you need to configure the XML you mentioned and basically tell DataMiner how it can connect your AzureAD. Note that the username/password is no longer needed, now it's using a client secret since 10.2.0.

I hope this clarifies the use case for this config. Let us know if you have any additional questions.

Bert

Marieke Goethals [SLC] [DevOps Catalyst] Selected answer as best 13th October 2023
Wil Helps [DevOps Enabler] commented

Thank you Bert that helped a lot, indeed authenticating using SAML, which is then creating the user(s) in the system and matching the groups in Azure with Dataminer (manually added).
Wil Helps [DevOps Enabler] commented

We will be fully implementing this in our systems
1
546 1 Comment

Hi Wil,

Indeed, this xml element is not part of the default DataMiner.xml, it's supposed to be added manually during setup (as there is no UI to configure this).
Without this, the local DataMiner agent will not know how to query the Azure Active Directory.

What exactly do you mean by 'it works' because I would suspect you would not be able to log in with your AzureAD credentials or be able to import its users & groups?

Perhaps your client session is connected to another agent which already has this configured?

To be clear, this configuration is not required for DataMiner to function, unless you want to use the active directory on Azure instead of the one configured in Windows.

Wil Helps [DevOps Enabler] Posted new comment 12th October 2023
Wil Helps [DevOps Enabler] commented

Thank you Robbe,

2nd point as in we can auth with SAML into the instance but were not importing groups/users – they are only created on first login(for users) and groups are done manually.

We will be fully implementing the configuration.