Skip to main content
Version: 0.91

Setting up Active Directory Roles sync with OIDC SSO

Active Directory (AD) synchronization ensures that user identities and permissions are consistent and secure across on-premises and Snorkel Flow environments.

Prerequisites

  • Working single sign-on (SSO) install. See Configure OIDC SSO. Because SSO is required, no user should be able to log in via username/password and bypass the AD roles sync.
  • Use Active Directory as an identity provider (IdP).
  • Have ability to configure additional role information and provide these roles via the /userinfo endpoint.
  • Snorkel Flow platform installed via Helm on Kubernetes.

Set up AD roles in identity provider

Set up the identity provider (IdP) so that when a certain scope is requested, the userinfo response returns a claim that lists the AD roles or a comma-separated set of AD roles.

  1. In Admin settings, select SSO Settings.
  2. Optional: Enter a specific admissions role.
  3. Enter the scope and claim for your role.
  4. Assign the specific permissions to the defined roles. Users have access to the resources based on their assigned roles.
    AD roles from the claim are a comma-separated string containing all roles or a list of strings. The list of AD roles should be formatted as<PREFIX><SEPARATOR><WORKSPACE><SEPARATOR><SF-ROLE> or <WORKSPACE><SEPARATOR><SF-ROLE>:
      • PREFIX: Set in Helm template. If not defined, can be left empty.
      • SEPARATOR: Character(s) to separate components of AD role. For example, _ or -.
      • WORKSPACE: Specific workspace to which role applies. For superadmin roles, define as ALL_WORKSPACE. You cannot set a role in the default workspace.
      • SF-ROLE: The Snorkel Flow role, such as ANNOTATOR.

Enabling AD Roles sync

To enable AD Roles sync for OIDC, in the Helm template values.yaml, enable authorization.adRoles like the following:

authorization:
  adRoles:
    enabled: 1
    oidc:
      claim: csgroups
  prefix: DTCA_CFG_DTI_EA_AIDLP
  separator: _$
  • authorization.adRoles.enabled: Enables the feature. Notice that this is 1 and not true.
  • authorization.adRoles.oidc.claim: Specifies which claim to look for the roles in the userinfo response.
  • authorization.adRoles.saml.attributeName: Specifies which custom attribute to look for the roles in the SAML response.
  • authorization.adRoles.prefix: Specifies the expected prefix of the role.
  • authorization.adRoles.separator: Specifies the expected separator between the prefix, workspace, and user role.

All of these parameters must be set if AD roles sync is enabled.