commvault.com commvault.com
Solved

Metallic identity server SAML integration

  • 9 January 2023
  • 9 replies
  • 218 views
J
Rank
Badge +2

Hi All,

 

i have created an azure app , and followed the prcedures from metallic document for the saml integration , 

i have added one group in the azure app , and tested , it doesnt work, i have added a user in the azure app and created same user in the metallic as external user it worked ,

 

what is the procedure to add a external group of azure ad to metallic 

i have tried to add a local group of same name of azure ad group, but i dont find any option to add role and permission for that group as tenant user or admin

all i can see a associated entities , where i get to add certail roles , can someone clarify the exact steps to follow 

icon

Best answer by Michael Woodward 24 January 2023, 02:46

View original

9 replies

M
Rank
Userlevel 3
Badge +8

Hello,

Thanks for reaching out within the Metallic community! Please take a look at the steps found here: https://docs.metallic.io/metallic/95955_using_azure_active_directory_as_your_identity_provider_01.html

That should outline everything needed to get this up and running for you. If you have any further questions or issues, feel free to reach out to our Customer Support team via Chat!

Michael Mancino
Senior Manager, Customer Support

 

 
 
Michael Woodward
Rank
Userlevel 3
Badge +9

I had similar issues setting this up - I documented my process in this forum post.

This should help with the custom attribute for user group mapping, since then I’ve found if you enable the Emit group name for cloud-only groups (preview) you then can have groups that have the friendly name and not the GUID of the group.
 

Good luck

P
Rank
Userlevel 4
Badge +7

hello we have the same issues with saml and we have an open ticket which has the topic nested groups 
our customers want to have groups in groups which has access to the saml application which not work at the moment 

 


 

Michael Woodward
Rank
Userlevel 3
Badge +9

hello we have the same issues with saml and we have an open ticket which has the topic nested groups 
our customers want to have groups in groups which has access to the saml application which not work at the moment 

 


 

Interesting @Philipp Swoboda ,

I’m about to deploy AzureAD based SAML for an organisation and my plan was to have AzureAD native groups as members of the App and on-prem sync’d groups as members of the AzureAD groups so we can mirror the current RBAC roles without re-architecting the whole thing.

 

Let me know how you get along.

Michael

P
Rank
Userlevel 4
Badge +7

we had today a session with support, when you add a group with direct members it works fine, but when you add a groups which has a member group and this has the user content it doesnt work. 

 

i personally think when you add a synced group from your normal ad it will work as long there are users in it and not groups and groups. 

 

let me know how it goes please.

 

Cheers 

 

Michael Woodward
Rank
Userlevel 3
Badge +9

let me know how it goes please.

I will once change freezes end and I get to the deployment phase, in my lab I don’t have an on-prem AD syncing to AzureAD to test so fingers crossed.

P
Rank
Userlevel 4
Badge +7

good luck 😀

Michael Woodward
Rank
Userlevel 3
Badge +9

good luck 😀

We have implemented on 2 of 5 CommCells this week so far, we have also gotten around the nested group issue by using dynamic groups in Azure.

Basically, the Enterprise App has Azure native groups as members, but these are dynamic groups which then has a rule defined like below:

user.memberof -any (group.objectId -in ['GUID_1', 'GUID_2','GUID_3'])

This then presents to the Enterprise App as a flat list of users as opposed to nested groups, which then maps straight through to Commvault.

 

More info on dynamic groups here: https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/create-quot-nested-quot-groups-with-azure-ad-dynamic-groups/ba-p/3118024

P
Rank
Userlevel 4
Badge +7

thanks michael, but the problem with this way is you need azure ad p1 or p2 which costs a lot but the way in general sounds very good thanks

Reply


Terms & ConditionsCookie settings