How to setup AAD group to role mapping when using SAML with SSO?

Machiel Treffers shared this question 3 months ago
Answered

Hi all,

We upgraded recently to Yellowfin 9.6 and like to start using the new integrated "SAML with SSO" feature (instead of the SAML bridge we currently use).

We provide reporting for multiple warehouses and we have cases were users are working for multiple warehouses. In our Azure AD we have setup YF groups per warehouse. If a user is required access to dashboards for multiple warehouses, he will be assigned to each warehouse group.

When configuring LDAP authentication, Yellowfin seems to retrieve the user's group memberships and a job seems to keep these memberships in sync with the assigned roles.

For the SAML SSO configuration I could not find any information on a similar feature (https://wiki.yellowfinbi.com/display/yfcurrent/Using+SAML+with+SSO).

Could someone please inform me on:

- How to setup AAD group to role mapping when using SAML with SSO?

- I noticed the feature "Role attribute" in the SAML config, but does it allow to pass multiple roles?

- Will role membership kept in sync after the user is created?

Thanks!

Best regards,

Machiel

Comments (4)

photo
1

Hi Machiel,


Thanks for your question.


Yellowfin Users can only have one role. You can perform role mapping in the SAML with SSO configuration on the relevant page, using the 'Role Attribute' parameter discussed in this post.


/476eccecd4418961fe2abfd3089f80fd


In terms of group mapping, I suspect this isn't possible with the new SAML with SSO tool, however, you should be able to programmatically edit User Groups through the REST API. Let me know if this meets your requirements.


Role (and group) membership should be kept in sync, where there is a daily task that flattens user groups, and roles should be defined at the time of log in. I will confirm that User Groups are best managed using the web services API (and that it is not possible through the new SAML feature), and the role and group memberships will be kept in sync.


In the meantime, please let me know if you have any further questions.


Kind regards,

Simon

photo
1

Hi Simon,

Thank you for your input, no further questions for now.

Best regards,

Machiel

photo
1

Hi Machiel,


I've reached out to our Developers for confirmation, the integrated SAML feature does not support user group mapping in the same way as LDAP. A better way would be to manage user groups using the REST API as suggested earlier, or assigning roles to user groups within Yellowfin.


EDIT: Roles will not remain synchronised between AAD and Yellowfin, and you will have to reassign them within Yellowfin.


I'll go ahead and mark this as answered shortly, let me know if you have any further questions.


Kind regards,

Simon

photo
1

Hi Simon,

Thanks, no further questions.

Best regards,

Machiel