You can use Azure AD as SAML SSO provider. In Azure, you can setup Nirmata as an Enterprise Application by following the instructions here: Set up SAML-based single sign-on (SSO) for an application in your Azure Active Directory (Azure AD) tenant
To complete the Azure AD setup, follow these steps.
-
In Nirmata, go to SAML view (Identity & Access -> SAML) and click on the button "Enable SAML for federated identity management and single sign-on (SSO)"
-
This launches a dialog where you can upload the Federation Metadata XML file for Azure AD. You can download the Federation Metadata XML file for Azure AD here.
-
Now, export your Nirmata account’s SAML Service Provider (SP) metadata by clicking on the "View SP Metadata" and downloading it. Next you can import the metadata into your Azure AD application created for Nirmata earlier.
-
To complete the setup, you need to download the Federation Metadata XML from the Azure AD application. You can find it in the "SAML Signing Certificate" section. Import the Federation Metadata XML into Nirmata by clicking on the Edit icon in the “SAML Identity Provider (IdP) Settings” section.
Thats it! You now have SAML fully configured! Next, add users that need access to Nirmata in the Azure AD application and verify that SAML works.
Note: Please make sure you have at least one user with ‘Local’ authentication in Nirmata to avoid being locked out of your account in case SAML based authentication is not available.
Sync Azure groups and roles with Nirmata teams
You can sync up users in azure groups with teams in Nirmata automatically and user permissions can be mapped to the individual teams.
To accomplish this, you can use the groups and roles in Nirmata and create mapping for them in your Azure AD setup.
Here are the steps:
- In Nirmata, go to Settings > SAML and look for following attributes - #Groups Attribute Name# (‘groups’ by default) and #Role Attribute Name" (‘role’ by default). You can use them to map groups and roles to Nirmata teams and roles.
- In your Azure AD setup, go to Enterprise Applications > “Your AD application” and select Single-Sign-on configuration. Under that menu, select and edit User Attributes & Claims menu.
- Add an attribute called groups and map it to your respective azure groups (e.g. user.department) and save it.
- Similar mapping can be accmoplished for the role attribute.
- By default, role will map to DevOps role in Nirmata.
Now, as users from different grroups login, their respective groups will show up under Nirmata as teams and appropriate access settings can be configured for those teams.