Automatic User Provisioning and User Roles assignment

This feature automates the integration of users into Straatos, enhancing the onboarding process by streamlining user provisioning and group assignments. This system eliminates manual user setup, group linkage, and the need for acceptance of user invitations.

Once implemented, this feature allows users to access Straatos using their Azure Entra ID. It ensures users are automatically created or updated in Straatos, with group memberships managed according to their Azure Entra group assignments.

Supported Scenarios:

• Straatos supports two primary methods for handling group information:

  • Groups Provided by Azure Entra:

    • By default, Azure Entra transmits all groups a user is associated with.

    • For users in more than 150 groups, Azure Entra provides a link to fetch the complete group list via the Microsoft Graph API. This requires the application to have appropriate permissions.

  • Groups Provided via App Roles and Enterprise Applications:

    • In this method, groups are defined using App Roles configured under Enterprise Applications.

    • Only the app roles are included in the group claim, simplifying the permission model as CumulusPro does not need additional access to Azure Entra’s group data.

Setting up the application registration

1. On the external Azure AD (Entra) go to 'Microsoft Entra ID'.

2. Select 'App registrations'.

3. Click on 'New registration.'

Setting up the Certificates & Secrets

1. Click on 'Certificates & secrets'.

2. Click on 'New client secret'.

3. Enter a description of your choice, for example, 'Straatos SSO'.

4. Choose an option for 'Expires'.

1. Once the secret is created, make sure to copy the value and store it in a safe place.

Setting up the Token configuration

1. Click on 'Token configuration.'

1. Ensure at least the following claims are there.

   1. email.

   2. family_name.

   3. given_name.

   4. preferred_username.

   5. groups.

2. By default, the 'groups' claim is not defined. Here is how to set it up:

   1. Click on 'Add groups claim'.

   2. Select 'Security groups, Directory roles, All groups' (or select the options depending on how you manage the Straatos groups).

   3. In the customize token properties by type, ensure that for all of them 'Group ID' is selected.

Setting up the API permissions

1. Select API permissions.

2. Add permissions.

3. Select 'Microsoft Graph'.

4. Select Delegated permission, and add the following rights under delegated permission:

   1. OpenId.

   2. Profile.

   3. Email.

   4. User.read.

   5. Directory.Read.All.

   6. GroupMember.Read.All.

   7. Group.Read.All.

5. Select Application permission, and add the following rights under application permission

   1. user.read.

   2. Directory.Read.All.

   3. GroupMember.Read.All.

   4. Group.Read.All.

6. Click on the 'Grant admin consent for' button and continue to grant the admin consent.

Setting up App Roles and Enterprise Applications

If there is no access via Graph API to Directory.Read.All, GroupMember.Read.All, Group.Read.All is granted, app roles can be configured to provide only the app roles configured within the Enterprise Application.

1. Open App Registration.

2. Open App roles.

3. Create app role.

4. Give the app role a name. This name needs to be saved in Straatos. For easier identification, the app role can be the same as in Straatos.

5. Allowed member type (Users/Groups).

6. Value and Description can be set to any value that is internally recognized. Those values are not relevant in Straatos.

7. Ensure 'Do you want to enable this app role' is selected.

Once all App Roles are created:

1. Go to Enterprise Applications.

2. Select the same app name as in App registration.

3. Click on Users and groups.

4. Click on Add user/groups.

5. Select the users and groups that have access to this role.

6. Select the role to which the users have access to.

Contact CumulusPro Support

Provide CumulusPro Support with the following details:

• Application (client) ID.

• Directory (tenant) ID.

• Client secret.