Azure AD Role Provisioning¶
To assign Komodor roles to Azure AD users we'll be utilizing the App Roles capability.
For each Komodor role we'd wish to assign to users in Azure AD, we'll have to create a corresponding Azure AD App Role.
- Integrate Azure AD with Komodor using SAML. Link to guide.
Creating App Roles¶
To create app roles, follow the steps below:
Go to "App registrations":
Pick "All applications", and then click the Komodor app:
Next, navigate to "App roles":
Click, "Create app role":
Fill in the form as below.
Note that the value must be the role ID as it appears in Komodor:
Finally, click "Apply". Repeat this for all the roles you wish to add, and you should see them added in the portal, like so:
Assigning Roles to a User¶
Now that we have created the Komodor app roles, we move on to assign them to a user.
Go back to "Enterprise applications" (explained above), and then pick the Komodor app:
Once there, we click on "Assign users and groups":
Click "Add user/group":
This will allow you to assign a role to a user (or a group, covered below). Simply pick a user:
Next, select a role:
Finally, click "Assign".
Assigning Roles to a Group¶
Just like we assigned a role to a user, we can assign a role to a group. To that end, we click "Add user/group", and simply pick a group rather than a user this time. We then select a role, and click "Assign".
Having done that, we should see the group with the role assigned to it (we can also see the user who was assigned a role above):
Note that members of a group automatically get assigned the roles that are assigned to the group. It means that since "Alon Glatter" is a member of "Group-1", he will be assigned both "Role-2" and "Role-1" (which was assigned to him via "Group-1").
Sending Role Assignments Over SAML Response¶
We go to the "Single sign-on" page where we configured the SAML connection to Komodor (here), and click "Edit" on "Attributes & Claims":
We click on "Add new claim":
We then fill in the form like below, and then finally click "Save":
That's it! Next time the user logs in to Komodor via Azure AD, they will have been assigned the roles in Komodor which are respective to the roles they have been assigned in Azure.