SAML Strategies and Tips

You can configure Moogsoft Enterprise so that users from an external directory can log in by Single Sign-On (SSO) using Security Assertion Markup Language (SAML). This topic covers some strategies to help you decide how to configure the SAML integration.

See Configure Single Sign-On with SAML for instructions on configuring the SAML integration and Troubleshoot SAML for information on how to address configuration and connection problems.Configure Single Sign-On with SAML

Map user profile attributes to Moogsoft Enterprise

You can employ a number of strategies to map your SAML identity provider (IdP) attribute values to Moogsoft Enterprise teams and roles. The strategy you choose depends on a number of factors, including:

  • Whether your IdP contains identifiers that can equate to roles and teams in Moogsoft Enterprise.

    For example, you have an IdP group attribute value that identifies the "Automation" team for which there is a corresponding team in Moogsoft Enterprise. This team has administrative authority over Moogsoft Enterprise. In this situation you could use the "groups" attribute, map the Automation team to a Moogsoft Enterprise team and assign the Administrator role to members of that team in the roles mapping.

  • Whether you would prefer to create new identifiers for the Moogsoft Enterprise teams and roles.

  • Whether you want to use an existing attribute name, for example "groups", in your user profiles, or you would prefer to create new attributes for Moogsoft Enterprise.

The following use cases show examples of these scenarios.

Use existing "groups" attribute values

You already have a granular set of IdP "groups" that you use to assign permissions to your users. The values in each user's "groups" attribute identify the teams the user is associated with, and the role they play in each team.

One group, "Monitoring Tools", has complete administrative authority over the Moogsoft Enterprise platform.

In this case, you could use the pre-existing "groups" attribute as the source for both the teams mapping and the roles mapping within Moogsoft Enterprise.

An example configuration file is as follows:

"assignTeams": 
{
    "teamAttribute": "groups",
    "teamMap": 
    {
        "Monitoring_Tools": "Monitoring Tools",
	"Application_A_Support": "Application A",
	"Application_B_Support": "Application B",
	"Network_Support": "Network"
    },
    "createNewTeams": false
},
"assignRoles": 
{
    "roleAttribute": "groups",
    "roleMap": 
    {
        "Monitoring": "Super User"
    }
}

Create new "groups" attribute values

You have reviewed the "groups" assigned to your IdP user profiles, and are unable to identify values that you could use to assign team and role membership to users in Moogsoft Enterprise.

You want to continue to use the "groups" attribute as a single location to hold permissions information for your users, and therefore you do not want to create another attribute within your user profiles.

In this case, you could add values to the "groups" attribute to identify the team and role to assign to the user in Moogsoft Enterprise.

In the configuration file for this example shown below, the "EnterpriseSuperUser", "EnterpriseTestUser", and "EnterpriseAdmin" IdP roles in the "groups" attribute map to the "Super User", "Test" and "Administrator" roles in Moogsoft Enterprise.

"assignTeams": 
{
    "teamAttribute": "groups",
    "teamMap": 
    {
        "Monitoring_Tools": "Monitoring Tools",
        "Application_A_Support": "Application A",
        "Application_B_Support": "Application B",
        "Network_Support": "Network"
    },
    "createNewTeams": false
},
"assignRoles": 
{
    "roleAttribute": "groups",
    "roleMap": 
    {
        "EnterpriseSuperUser": "Super User",
        "EnterpriseTestUser": "Test",
        "EnterpriseAdmin": "Administrator"
    }
}

Create new attributes

You do not have appropriate teams and roles defined within your IdP user profiles, and would like to hold this information for Moogsoft Enterprise in a unique user profile attribute.

In this case, you could define the attributes in the user profile structure and use the values from these attributes as the source for team and role mappings.

In the configuration file for this example shown below, the new attribute "EnterpriseTeam" contains the IdP teams to map to Moogsoft Enterprise teams. The new attribute "EnterpriseRole" contains the IdP roles to map to Moogsoft Enterprise roles.

"assignTeams":
{
    "teamAttribute": "EnterpriseTeam",
    "teamMap": 
    {
        "Monitoring_Tools": "Monitoring Tools",
        "Application_A_Support": "Application A",
        "Application_B_Support": "Application B",
        "Network_Support": "Network"
    },
    "createNewTeams": false
},
"assignRoles":
{
    "roleAttribute": "EnterpriseRole",
    "roleMap": 
    {
        "EnterpriseSuperUser": "Super User",
        "EnterpriseTestUser": "Test",
        "EnterpriseAdmin": "Administrator"
    }
}

Map a single value to many teams or roles

You would like to use a single value in the "groups" attribute of your IdP user profiles to add the user to multiple Moogsoft Enterprise teams or roles.

All mappings are one to one, so to achieve this you must re-map the value from the user profile's "groups" membership multiple times. Each instance maps to an individual Moogsoft Enterprise team or role.