Overview

If your organization leverages Single Sign-On for users to access and operate Dasera, you can manage users from within your identity provider (IDP). This article describes how you can set up and use IDP-based platform user management with Entra ID. 

Azure Configurations for Dasera Platform Roles

We recommend assigning Dasera Roles to SSO users in Azure via group membership. For this setup, platform role and access are defined via group assignment in Azure, and SSO users assigned to specific groups can access the Dasera platform with their assigned role. 

Configure SAML Settings

First, configure your SAML Settings to include a custom attribute statement.

1. Log into Azure portal.
2. Navigate to Microsoft Entra ID screen.
3. In the left-hand menu, select Enterprise Applications.
4. Search for and click on the title of your Dasera SAML application. Note that this should already be created from a Microsoft Entra SAML toolkit, completed when you enabled SSO previously.
5. Click Single sign-on from the left-hand menu. 
6. On the Attributes & Claims section, click Edit.
7. Click Add a group claim and enter the following values:
   1. Which groups associated with the user should be returned in the claim?: Security groups
   2. Source attribute: Group ID
   3. Advanced options
      1. Customize the name of the group claim: checked
      2. Name: Dasera_Roles

Groups Setup

Once the above SAML Settings are configured, locate the relevant Microsoft Entra ID Security group to identify Object ID value for Dasera Platform Role setup. The steps below and in the following section must be repeated for each group mapping to a Dasera Platform role.

1. Log into Azure portal.
2. Navigate to Groups screen.
3. Filter by Group type: Security
4. Click on the group name.
5. Make note of the Object ID value (eg. d254d716-b0f8-4175-abb7-b0f7d5dadc04)

Dasera Platform Role Setup

After completing the steps described above, use the steps below to map Azure groups to Dasera platform roles.

1. Log into Dasera.
2. Navigate to Platform → Platform Roles screen.
3. Click on the name of the Dasera role corresponding to the above Azure Group (eg. Super_Admin).
4. In the Platform Role detail screen, paste the Group's Object ID value in the Alias field.
5. Click Save.

The Azure Group now corresponds with Dasera roles, with membership assigned to each group. A user from the assigned group can log in to Dasera via SSO and will be granted the assigned platform role automatically once you've completed the final steps below. The instructions above can be repeated for as many Azure Groups and Dasera platform roles as needed.

Dasera Platform SSO Settings

Once you've completed all the steps above, you can now enable user management via your IDP.

1. Navigate to Platform Settings → SSO
2. Click the pencil icon to edit your IDP provider details.
3. Scroll down to the toggle option to Manage Platform Users from IDP. 

4. Turn this on to manage platform users within your identity provider. 
5. You will see a warning that SSO user creation going forward is controlled by your identity provider, and you cannot create new local users within Dasera:

6.  Click Confirm.

Next Steps

Once a user has been given a Dasera role in Azure via the above setup, they are granted access to the platform via SSO when logging in for the first time. If their role is changed in Azure, it will change the next time they log in. If their role is not granted by Azure, they'll be unable to log into Dasera and will see an error message to contact their administrator.