Setting up Active Directory Roles sync with OIDC SSO
Active Directory (AD) synchronization ensures that user identities and permissions are consistent and secure across on-premises and Snorkel Flow environments.
Prerequisites
- Working single sign-on (SSO) install. See Configure OIDC SSO. Because SSO is required, no user should be able to log in via username/password and bypass the AD roles sync.
- Use Active Directory as an identity provider (IdP).
- Have ability to configure additional role information and provide these roles via the
/userinfo
endpoint. - Snorkel Flow platform installed via Helm on Kubernetes.
Set up AD roles in identity provider
Set up the identity provider (IdP) so that when a certain scope is requested, the userinfo
response returns a claim that lists the AD roles or a comma-separated set of AD roles.
- In Admin settings, select SSO Settings.
- Optional: Enter a specific admissions role.
- Enter the scope and claim for your role.
- Assign the specific permissions to the defined roles. Users have access to the resources based on their assigned roles.
AD roles from the claim are a comma-separated string containing all roles or a list of strings. The list of AD roles should be formatted as<PREFIX><SEPARATOR><WORKSPACE><SEPARATOR><SF-ROLE>
or<WORKSPACE><SEPARATOR><SF-ROLE>
:
-
-
PREFIX
: Set in Helm template. If not defined, can be left empty.SEPARATOR
: Character(s) to separate components of AD role. For example,_
or-
.WORKSPACE
: Specific workspace to which role applies. For superadmin roles, define asALL_WORKSPACE
. You cannot set a role in the default workspace.SF-ROLE
: The Snorkel Flow role, such asANNOTATOR
.
-
Enabling AD Roles sync
To enable AD Roles sync for OIDC, in the Helm template values.yaml
, enable authorization.adRoles
like the following:
authorization:
adRoles:
enabled: 1
oidc:
claim: csgroups
prefix: DTCA_CFG_DTI_EA_AIDLP
separator: _$
authorization.adRoles.enabled
: Enables the feature. Notice that this is 1 and not true.authorization.adRoles.oidc.claim
: Specifies which claim to look for the roles in the userinfo response.authorization.adRoles.saml.attributeName
: Specifies which custom attribute to look for the roles in the SAML response.authorization.adRoles.prefix
: Specifies the expected prefix of the role.authorization.adRoles.separator
: Specifies the expected separator between the prefix, workspace, and user role.
All of these parameters must be set if AD roles sync is enabled.