Enabling SAML using Entra ID
Applies to: IBM StreamSets as a Service
When using Microsoft Entra ID (previously known as Azure AD) as an identity provider, complete the following steps to enable SAML authentication for your organization:
- Retrieve IdP information generated for your organization.
- Create an Entra ID enterprise application for IBM StreamSets.
- Set up a draft SAML configuration for your organization.
- Publish and enable the SAML configuration.
- Optionally configure SCIM provisioning of user accounts.
Step 1. Retrieve IdP Information
In Control Hub, choose Entra ID as your identity provider and then retrieve the IdP information generated for your organization.
Step 2. Create an Entra ID Application
To register IBM StreamSets as a service provider in Entra ID, use the IdP information that you retrieved from Control Hub to create an enterprise application in Entra ID. Then, assign the enterprise application to all Entra ID users and groups that need to log in to IBM StreamSets.
Step 3. Set up a Draft SAML Configuration
In Control Hub, set up the draft SAML configuration for your organization by uploading the metadata XML file downloaded from Entra ID, and then optionally configuring advanced properties. You can also enable or disable SP-initiated logins.
Step 4. Publish and Enable the SAML Configuration
After testing and validating that the draft SAML configuration is set up correctly with Entra ID, publish the configuration to production and then enable the configuration to activate it.
Step 5. Configure SCIM Provisioning
You can optionally configure the automatic provisioning of users and groups from Entra ID to IBM StreamSets. To do so, complete additional steps in both Control Hub and in Entra ID.
- Verify that when you created an Entra ID enterprise application, you assigned the Entra ID users and groups that need to log in to IBM StreamSets to the enterprise application.
- Verify that when you set up the draft SAML configuration for your organization, you also enabled the SCIM Provisioning property. If not enabled, edit the SAML draft configuration and then publish it to production.
- Consider defining default roles for newly provisioned users.
- With the exception of the primary user account assigned the Organization Administrator role and the default all group, consider deleting existing Control Hub users and groups that did not originally join with their email address from Entra ID and that are not assigned to the Entra ID enterprise application. After SCIM provisioning is enabled, you cannot use Control Hub to delete users and groups.