Skip to main content
Version: v4.12

Integration with Azure AD

SSO with Azure AD

With Cyral, you can authenticate database users against your Azure Active Directory (Azure AD) identity provider, and Cyral can read each user's group memberships from Azure AD to determine the user's privileges. This integration uses Azure AD as a SAML identity provider.

Follow these steps to use your Azure AD to authenticate database users and Cyral administrators.

info

If you're using on-premises Active Directory, see the section, SSO with ADFS.

In Cyral management console, create a SAML integration

  1. Create a new SAML integration: Log in to your Cyral control plane UI, navigate to the Integrations section, find the SAML integration tile, and click Configure.

  2. Create a new SAML connection:

    • Specify a Display Name. This display name is used to identify the IdP to the user when they log in.

    • In Attribute Names in SAML Assertion section, accept the default name for each required SAML attribute (first and last name, email, SSO groups).

    • Enable IdP-initiated login checkbox: When you add any IdP integration in Cyral, your users can log in using the Cyral Access Portal. If selected, this checkbox gives your users a second way to log in: from your IdP portal.

      • Set IdP-initiated login to ON to give users the added option of logging in from your IdP-based portal (for example, an Okta portal).

        tip

        Enabling IdP-initiated login requires a second ACS URL in your SAML app. For details, see SP-initiated and IdP-initiated login.

      • Set IdP-initiated login to OFF to disable IdP-initiated login. Do this if login is not supported by your IdP, or if you don't want to let users log in from your IdP portal.

    • Click Continue

    • On the next screen, download the SP metadata file. You'll need this in the next step to set up your IdP. You are free to close the page. Your SAML Integration will save as a draft, and you will be able to return to it at a later time to finish entering the required configuration values.

Create SAML Application in Azure

  1. Go to your Azure AD administration page and log in to your account as an Administrator.

  2. Create a new Enterprise Application.

    • Specify that it's a non-gallery application
       

  3. In the application's Single sign-on section, select SAML, and edit the “Basic SAML Configuration. Open the SP Metadata document that was downloaded from the Cyral management console while creating a SAML integration. Copy the following URLs to Azure from the SP Metadata obtained in the previous section:

    • Set the Identifier in Azure to the Entity ID from the SP metadata. The URL should have the following format:
      https://$CYRAL_CONTROL_PLANE_DOMAIN/auth/realms/default
    • Set the Reply URLs in Azure using both of the AssertionConsumerService URLs found in the SP Metadata. Make sure to add the index of each URL in Azure. The ACS URL with index 0 should have the following format:
        https://$CYRAL_CONTROL_PLANE_DOMAIN/auth/realms/default/broker/$IDP_INTEGRATION_ID/endpoint/clients/$IDP_INTEGRATION_ID-client
      The ACS URL with index 1 should have the following format:
        https://$CYRAL_CONTROL_PLANE_DOMAIN/auth/realms/default/broker/$IDP_INTEGRATION_ID/endpoint
    • Set the ACS URL with index 0 as the default.

    Click Save.

  4. In the User Attributes and Claims section, specify which user data attributes will be sent to Cyral. Add a claim for each of the following attributes:

    • First Name: This is required. Enter firstName as the Name of the claim. Leave the namespace blank. Select user.givenName as the source attribute.

    • Last Name: This is required. Enter lastName as the Name of the claim. Leave the namespace blank. Select user.surname as the source attribute.

    • Email: This is required. Enter email as the Name of the claim. Leave the namespace blank. Select user.mail as the source attribute.

    Next, add a Group Claim:

    • In the Which groups field, choose select groups that should be granted access to Cyral, or select All Groups.
    • Set the Source Attribute to Group ID. If your Azure AD is connected to on-premises Active Directory using AAD Connect Sync 1.2.70.0 or above, you may opt please select sAMAccountName instead.
    • Click on Advanced options
    • Select the Customize the name of the group claim check box
    • Enter the Name element of the RequestedAttribute. The default value is memberOf.
    • Click Save.
       

info

These attributes in Azure side should match with the fields on the SAML integration in the UI.

  1. Under the application's Users and Groups section, assign the users and groups who will be allowed to log into Cyral.

  2. After saving all of the above, go to the Single sign-on section of your app in Azure AD, and find the app's App Federation Metadata Url in the SAML Signing Certificate section of the window. Copy that URL for pasting into the Cyral UI.

In Cyral management console, complete the SAML integration

In this final step, you will supply the IdP Metadata URL you copied from Azure to the Cyral management console.

  1. Return to your SAML integration in the Cyral management console. Enter the IdP Metadata URL you retrieved from Azure.

  2. Click Save.

Your SAML Integration is complete.

Next step

See Set up SSO authentication for users for the steps to activate SSO authentication on each repository that will use it.

SCIM with Azure AD

Cyral supports the use of the SCIM protocol to retrieve group information from your Azure AD directory. While Cyral also supports other ways to retrieve group information from Azure AD, the SCIM approach is the only way to get group information for login workflows in which the user does not visit the Cyral Access Portal. For example, a Snowflake login with Cyral SSO relies on Cyral's SCIM integration to retrieve the user's group information.

Prerequisites

Before you set up the SCIM integration, make sure you have:

  • A working Azure AD SSO integration in Cyral.

    tip

    Cyral recommends that you create a new Azure AD SSO integration that is not being used in any other Cyral integration in your environment.

  • Users who will log in with Cyral must have the following identity attributes stored in their Azure AD user record:

    • first name

    • last name

    • username

    • email

    tip

    If your Azure AD application uses email addresses as the username values, it is possible to populate the email field with the value of username in your mappings. See mapping email address as username below.

Get configuration values from the Cyral UI

  1. In the Cyral CP, navigate to Integrations ➡️ SAML ➡️ Configure ➡️ find your SAML SSO integration and click the pencil icon to edit.

  2. Select Enable service account resolution. The Configure Your SCIM Integration panel appears.

  3. Note the value shown in the field, SCIM connector base URL. In the next procedure, you or your SAML administrator will copy this value into SAML. Keep this tab open, or store this value securely until you need it. This value contains the OAuth bearer token, which must be kept secure.

    note

    The information shown here includes:

    • SCIM connector base URL: The base URL for the SCIM integration endpoints.
    • Supported provisioning actions: The provisioning actions your SAML app will take for this integration. In our case, we want the SAML app to:
      • Push New Users to Cyral
      • Push Profile Updates to Cyral
      • Push Groups to Cyral
    • Authentication Mode: The method used by SAML to authenticate with Cyral. This will be an OAuth HTTP bearer token.
    • Bearer Token: An OAuth access token needed for authentication and authorization with the Cyral SCIM endpoints associated with the given integration instance.
  4. Click Save.

Configure Azure AD

  1. Sign in to your Azure AD portal. Navigate to the Enterprise Application that you have configured for Cyral SSO.

  2. In the app management screen, select Provisioning in the left panel.

  3. Click on Get started.

  4. In the Provisioning Mode menu, select Automatic.

  5. In the Tenant URL field, enter the SCIM connector base URL you copied from the Cyral UI earlier. This is the SCIM base URL of your Cyral SCIM integration. For example: https://example.app.cyral.com/v1/scim/aad.9ba88b7e-0a2c-4d93-9d62-44deca32109

  6. In the Secret Token field, enter the token copied from the Cyral UI's Bearer token field.

  7. Click Test Connection. This should result in a green checkmark (✔️) in the upper right of the Azure AP portal page.

  8. Select Save to save the admin credentials.

  9. Clicking Save activates two more settings sections, Mappings and Settings:

    • Mappings: Make sure both the mappings for groups and users are Enabled. The default mappings are compatible with the Cyral SCIM service.

      tip

      If your Azure AD application uses email addresses as the username values, it is possible to populate the email field with the value of username in your mappings. See mapping email address as username below.

    • Settings: This setting is optional. Add an Email Address where failure notifications can be sent.

    • Click Save to save your configuration changes.

  10. Refresh the current page and click Edit provisioning. A new configuration field, Scope, appears in the Settings section.

  11. Select Sync only assigned users and groups from the dropdown menu

  12. Set the Provisioning Status to ON and click Save.

  13. To force the sync now:

    • Go to the SCIM app page (by refreshing the current screen or by clicking on SCIM app at the top left corner of the page)
    • Click on the Refresh icon in the upper right.

Mapping email address as username

If your Azure AD application uses email addresses as the username values, it is possible to populate the email field with the value of username while defining the attribute mapping from Azure to the Cyral SCIM application. In order to do so, please do the following during step 9a of the ‘Azure Configuration Process’:

  1. Under the Mappings Option, select Provision Azure Active Directory Users

  2. Click on the mapping entry that maps Source attribute mail to Target attribute emails[type eq "work"].value

  3. In this entry, change the Source attribute from mail to userPrincipalName

  4. Click OK then Save.

Next step

With SCIM configured, your Cyral installation can provide service account resolution for Looker and Tableau, ensuring you know the SSO user identity of users who connect to a repository through a service account. See set-up instructions: