Using Alternate SAML Claims to Map Roles

Morpheus has a wide variety of supported identity sources that can be configured on a tenant. Identity sources unlock the use of an existing Identity Provider (IdP) to be used, instead of user accounts created in Morpheus locally. This will allow Morpheus to integrate with your current authentication and user life cycle policies.

In most cases, groups are used to define access in organizations, such as Active Directory groups, Okta groups, etc. Morpheus’ identity sources make it easy to configure groups and guide the inputs based on IdP you are attempting to integrate. However, there are times that a different attribute or flag may denote an admin or elevated user in an IdP. Morpheus can be configured to use a different attribute, other than groups, to help on your elevation strategy.

In the below example, we’ll configure an identity source type of Azure AD SAML SSO and this will be configured to connect to an Azure Active Directory (AAD) application using SAML. We’ll also have a user in Azure AD that will have the Department attribute set, which will control what roles the user is mapped to when they login to Morpheus.

  1. Create the initial identity source to generate the needed URLs from Morpheus, using the following documentation:
    Create a Azure AD SAML Integration
  2. Create an AAD Enterprise Application and then configure it, using the following documentation:
    Configure Azure SSO
  3. During the Enterprise Application configuration above, the user.groups claim is added, which would normally support a group claim being sent to Morpheus. We’ll add another attribute to serve as our elevation attribute, in this case Department. In the Enterprise Application > Single sign-on > Attributes & Claims click the Edit button
  4. Click the Add new claim button and fill in the details for the user.department attribute to be sent as the Department SAML assertion, then click Save

    The new claim is shown, as seen below:
  5. Now navigate to a User in AAD and click the Edit button
  6. In the Job Info section locate the Department field and enter IT as the value, then click the Save button
  7. Now navigate to Morpheus and click Administration > Tenants > click the tenant > Identity Sources Edit (pencil icon) the previously created identity source. Here is an example of what may already be configured, which the Default Role will provide baseline permissions for anyone logging in. In this example, the Little Access role provides only some Operations and Infrastructure, as seen below:

    • Reminder, the login URL for a tenant can be seen under the Identity Sources page
  8. On the identity source, change the Group Attribute Name to match the claim (assertion) that was configured for SAML in the AAD Enterprise Application, which we called ours Department. Additionally, map values to the roles for the tenant, in this case we used IT for the department of our user. Click Save
    The role we’ve used in the screenshot will allow the user to access the Administration tab. Role permissions are cumulative, so the access from Little Access will still be available and the additional Administration tab will be available. The user will need to log out and back in to see the changes:

    Using a SAML inspection extension in Chrome allows us to see the assertion attributes that are provided during the Morpheus authentication:

That’s it! Just as a recap, generally the setup of the identity source is still the same, we are just modifying the attribute to use for mapping elevation in Morpheus. In this case we used the Azure AD SAML SSO provider but the process is very similar for the generic SAML SSO provider.

Additional links:
Identity Management

1 Like

Awesome post @kgawronski