SAML Strategies and Tips
You can configure Moogsoft Onprem so that users from an external directory can log in by Single Sign-On (SSO) using Security Assertion Markup Language (SAML). This topic covers some strategies to help you decide how to configure the SAML integration.
See Configure Single Sign-On with SAML for instructions on configuring the SAML integration and Troubleshoot SAML for information on how to address configuration and connection problems.
Map user profile attributes to Moogsoft Onprem
You can employ a number of strategies to map your SAML identity provider (IdP) attribute values to Moogsoft Onprem teams and roles. The strategy you choose depends on a number of factors, including:
Whether your IdP contains identifiers that can equate to roles and teams in Moogsoft Onprem.
For example, you have an IdP group attribute value that identifies the "Automation" team for which there is a corresponding team in Moogsoft Onprem. This team has administrative authority over Moogsoft Onprem. In this situation you could use the "groups" attribute, map the Automation team to a Moogsoft Onprem team and assign the Administrator role to members of that team in the roles mapping.
Whether you would prefer to create new identifiers for the Moogsoft Onprem teams and roles.
Whether you want to use an existing attribute name, for example "groups", in your user profiles, or you would prefer to create new attributes for Moogsoft Onprem.
The following use cases show examples of these scenarios.
Use existing "groups" attribute values
You already have a granular set of IdP "groups" that you use to assign permissions to your users. The values in each user's "groups" attribute identify the teams the user is associated with, and the role they play in each team.
One group, "Monitoring Tools", has complete administrative authority over the Moogsoft Onprem platform.
In this case, you could use the pre-existing "groups" attribute as the source for both the teams mapping and the roles mapping within Moogsoft Onprem.
An example configuration file is as follows:
"assignTeams": { "teamAttribute": "groups", "teamMap": { "Monitoring_Tools": "Monitoring Tools", "Application_A_Support": "Application A", "Application_B_Support": "Application B", "Network_Support": "Network" }, "createNewTeams": false }, "assignRoles": { "roleAttribute": "groups", "roleMap": { "Monitoring": "Super User" } }
Create new "groups" attribute values
You have reviewed the "groups" assigned to your IdP user profiles, and are unable to identify values that you could use to assign team and role membership to users in Moogsoft Onprem.
You want to continue to use the "groups" attribute as a single location to hold permissions information for your users, and therefore you do not want to create another attribute within your user profiles.
In this case, you could add values to the "groups" attribute to identify the team and role to assign to the user in Moogsoft Onprem.
In the configuration file for this example shown below, the "EnterpriseSuperUser", "EnterpriseTestUser", and "EnterpriseAdmin" IdP roles in the "groups" attribute map to the "Super User", "Test" and "Administrator" roles in Moogsoft Onprem.
"assignTeams": { "teamAttribute": "groups", "teamMap": { "Monitoring_Tools": "Monitoring Tools", "Application_A_Support": "Application A", "Application_B_Support": "Application B", "Network_Support": "Network" }, "createNewTeams": false }, "assignRoles": { "roleAttribute": "groups", "roleMap": { "EnterpriseSuperUser": "Super User", "EnterpriseTestUser": "Test", "EnterpriseAdmin": "Administrator" } }
Create new attributes
You do not have appropriate teams and roles defined within your IdP user profiles, and would like to hold this information for Moogsoft Onprem in a unique user profile attribute.
In this case, you could define the attributes in the user profile structure and use the values from these attributes as the source for team and role mappings.
In the configuration file for this example shown below, the new attribute "EnterpriseTeam" contains the IdP teams to map to Moogsoft Onprem teams. The new attribute "EnterpriseRole" contains the IdP roles to map to Moogsoft Onprem roles.
"assignTeams": { "teamAttribute": "EnterpriseTeam", "teamMap": { "Monitoring_Tools": "Monitoring Tools", "Application_A_Support": "Application A", "Application_B_Support": "Application B", "Network_Support": "Network" }, "createNewTeams": false }, "assignRoles": { "roleAttribute": "EnterpriseRole", "roleMap": { "EnterpriseSuperUser": "Super User", "EnterpriseTestUser": "Test", "EnterpriseAdmin": "Administrator" } }
Map a single value to many teams or roles
You would like to use a single value in the "groups" attribute of your IdP user profiles to add the user to multiple Moogsoft Onprem teams or roles.
All mappings are one to one, so to achieve this you must re-map the value from the user profile's "groups" membership multiple times. Each instance maps to an individual Moogsoft Onprem team or role.