Configuring a group for SSO authentication
To use SSO authentication in Turbonomic, you should configure user groups on the IdP. The IdP can authenticate the group members, and then Turbonomic can assign the user role and scope according to that group's authentication. To manage personnel changes, you only need to manage the membership in the IdP group. For example, if a user leaves your organization, you only need to remove the member from the group on the IdP. Because authorization on Turbonomic is by group, that user will not have any authorization settings stored on the Turbonomic server.
Before you enable SSO for your Turbonomic installation, you must configure at least one SSO user with Turbonomic administrator privileges. If you do not, then once you enable SSO you will not be able to configure any SSO users in Turbonomic. To authorize an SSO user as an administrator, use EXTERNAL AUTHENTICATION to do one of the following:
Configure a single SSO user with administrator authorization.
Add an external user. The username must match an account that is managed by the IdP.
Configure an SSO user group with administrator authorization.
Add an external group. The group name must match a user group on the IdP, and that group must have at least one member.
For more information about configuring SSO authentication, see Single Sign-On Authentication.
Specifying a group in the SAML response
To support SSO, Turbonomic recognizes IdP responses that comply with SAML 2.0. To create user groups, for each user response you include an attribute named group, and give the group name as the attribute value. For example, assuming the following users, setting the group attribute for each user assigns that user to the appropriate group.
Users: | Group attribute: |
---|---|
|
Attribute Name=group, AttributeValue=Beatles |
|
Attribute Name=group, AttributeValue=Miracles |
As you specify the user response, to add the user to a group you include a group attribute. For example, to add a user to a group named turbo_admin_group, you would include the following attribute in that user’s SAML response:
<saml2:Attribute
Name="group"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">
turbo_admin_group
</saml2:AttributeValue>
</saml2:Attribute>
Setting group authorization in Turbonomic
To set an account role and scope to a user group, you must use the group name that you specify as the value in the given SAML group attribute. In the preceding example, the group value is turbo_admin_group. To set authorization for that group:
Open the User Management page to EXTERNAL AUTHENTICATION.
Navigate to Settings > User Management, and display the EXTERNAL AUTHENTICATION view.
Create a new External Group
Click NEW EXTERNAL GROUP.
Provide the group name.
Be sure to use the name that you specify in the group attribute of the SAML response. For the previous example, use the name turbo_admin_group.
Specify the group's authorization
For the previous example, since this is turbo_admin_group, you should set the ADMINISTRATOR role, and you should not set any scope (grant full access to the environment).
After you configure this group in Turbonomic, then any member of turbo_admin_group that the IdP returns will have full administrator privileges on your Turbonomic installation.