From f1a6b53f5a2470b20923f5591ce3fedaad9d4c40 Mon Sep 17 00:00:00 2001 From: Luis Paolini <paoliniluis@gmail.com> Date: Tue, 5 Nov 2024 13:19:03 -0300 Subject: [PATCH] Correct Azure SAML (#49349) * Correct Azure SAML * Update saml-azure.md * Apply suggestions from code review Co-authored-by: Jeff Bruemmer <jeff.bruemmer@gmail.com> --------- Co-authored-by: Jeff Bruemmer <jeff.bruemmer@gmail.com> --- docs/people-and-groups/saml-azure.md | 26 ++++++++++++++++++-------- 1 file changed, 18 insertions(+), 8 deletions(-) diff --git a/docs/people-and-groups/saml-azure.md b/docs/people-and-groups/saml-azure.md index 41cccbe4c37..7a58f004cb2 100644 --- a/docs/people-and-groups/saml-azure.md +++ b/docs/people-and-groups/saml-azure.md @@ -15,7 +15,7 @@ First, follow our guide to [enable SAML authentication](authenticating-with-saml ## Add an Enterprise Application in Microsoft Entra ID -Go to Mircrosoft Entra admin center and click on **Enterprise Applications** under Applications from the side bar. Once there, click on **+ New Application** in the bar on the top of the page. +Go to Microsoft Entra admin center and click on **Enterprise Applications** under Applications from the side bar. Once there, click on **+ New Application** in the bar on the top of the page.  @@ -36,12 +36,12 @@ Fill out the following fields as follows and click "Save": - **Identifier (Entity ID)**: `Metabase` - **Reply URL (Assertion Consumer Service URL)**: go to your Metabase instance in Settings -> Admin-> Authentication -> SAML and insert the value that your Metabase instance reports in the "Configure your identity provider (IdP)" box. -In a new tab, visit the "App Federation Metadata URL" found in step 3, "SAML Certificates". On the Metadata page, note the: +Click on "Save" and then note the following 2 items on step 4: -- "Login URL" -- "Microsoft Entra Identifier" +- "Login URL": this is the value you need to enter in "SAML identity provider URL" in Metabase on the next step +- "Microsoft Entra Identifier": this is the value you need to enter in "SAML identity provider issuer" in Metabase on the next step -You'll need these URLs to complete the SSO setup in Metabase. +Download the "Federation Metadata XML" file, which will have the certificate you'll need in the next step. To finish the Microsoft Entra side of the configuration, click on the **Users and groups** button on the Manage tab and add the users or groups that should have access to Metabase. @@ -52,12 +52,22 @@ Log in to Metabase as an administrator and go to **Admin** -> **Settings** -> ** Under "Tell Metabase about your identity provider", enter the following: - **SAML Identity Provider URL**: the "Login URL" you got on Step 4 on the Microsoft Entra ID SAML SSO configuration -- **SAML Identity Provider Certificate**: copy and paste the super long string under the `<X509Certificate>` tag in the "App Federation Metadata Url". Make sure you copy and paste the whole string; if you miss any character, the integration won't work. +- **SAML Identity Provider Certificate**: open the "Federation Metadata XML" with a text editor, copy and paste the super long string under the `<X509Certificate>` tag in the "App Federation Metadata Url". Make sure you copy and paste the whole string; if you miss any character, the integration won't work - **SAML Application Name**: "Metabase" - **SAML Identity Provider Issuer**: the "Microsoft Entra Identifier" URL you got from the Microsoft Entra ID SAML SSO configuration. -Click on **Save Changes** below, and you should now be able to log in via Microsoft Entra ID. +Click on **Save and Enable** below, and you should now be able to log in via Microsoft Entra ID. + +## Send group membership to Metabase for group mapping + +If you want to send the user group membership to Metabase, then you need to add a group claim on step 2, "Set up Single Sign-On with SAML" on Azure: + +1. To the right of "Attributes & Claims", click on "Edit." +2. Click "Add a group claim." +3 On the menu that appears for "Which groups associated with the user should be returned in the claim?", select "All groups." +4. Click on Save. +5. Then add the group mapping on the Metabase SAML configuration. ## Further reading -- [User provisioning](./user-provisioning.md) \ No newline at end of file +- [User provisioning](./user-provisioning.md) -- GitLab