Skip to main content
Version: v4.8

SSO with Azure AD

With Cyral, you can authenticate database users against your Azure Active Directory (Azure AD) identity provider, and Cyral can read each user's group memberships from Azure AD to determine the user's privileges. This integration uses Azure AD as a SAML identity provider.

Follow these steps to use your Azure AD to authenticate database users and Cyral administrators.

info

If you're using on-premises Active Directory, see the section, SSO with ADFS.

In Cyral management console, create a SAML integration

  1. Create a new SAML integration: Log in to your Cyral control plane UI, navigate to the Integrations section, find the SAML integration tile, and click Configure.

  2. Create a new SAML connection:

    • Specify a Display Name. This display name is used to identify the IdP to the user when they log in.

    • In Attribute Names in SAML Assertion section, accept the default name for each required SAML attribute (first and last name, email, SSO groups).

    • Enable IdP-initiated login checkbox: When you add any IdP integration in Cyral, your users can log in using the Cyral Access Portal. If selected, this checkbox gives your users a second way to log in: from your IdP portal.

      • Set IdP-initiated login to ON to give users the added option of logging in from your IdP-based portal (for example, an Okta portal).

        tip

        Enabling IdP-initiated login requires a second ACS URL in your SAML app. For details, see SP-initiated and IdP-initiated login.

      • Set IdP-initiated login to OFF to disable IdP-initiated login. Do this if login is not supported by your IdP, or if you don't want to let users log in from your IdP portal.

    • Click Continue

    • On the next screen, download the SP metadata file. You'll need this in the next step to set up your IdP. You are free to close the page. Your SAML Integration will save as a draft, and you will be able to return to it at a later time to finish entering the required configuration values.

Create SAML Application in Azure

  1. Go to your Azure AD administration page and log in to your account as an Administrator.

  2. Create a new Enterprise Application.

    • Specify that it's a non-gallery application
       

  3. In the application's Single sign-on section, select SAML, and edit the “Basic SAML Configuration. Open the SP Metadata document that was downloaded from the Cyral management console while creating a SAML integration. Copy the following URLs to Azure from the SP Metadata obtained in the previous section:

    • Set the Identifier in Azure to the Entity ID from the SP metadata. The URL should have the following format: 
      https://$CYRAL_CONTROL_PLANE_DOMAIN/auth/realms/default
    • Set the Reply URLs in Azure using both of the AssertionConsumerService URLs found in the SP Metadata. Make sure to add the index of each URL in Azure. The ACS URL with index 0 should have the following format: 
        https://$CYRAL_CONTROL_PLANE_DOMAIN/auth/realms/default/broker/$IDP_INTEGRATION_ID/endpoint/clients/$IDP_INTEGRATION_ID-client
      The ACS URL with index 1 should have the following format: 
        https://$CYRAL_CONTROL_PLANE_DOMAIN/auth/realms/default/broker/$IDP_INTEGRATION_ID/endpoint
      Click Save.

  4. In the User Attributes and Claims section, specify which user data attributes will be sent to Cyral. Add a claim for each of the following attributes:

    • First Name: This is required. Enter firstName as the Name of the claim. Leave the namespace blank. Select user.givenName as the source attribute.

    • Last Name: This is required. Enter lastName as the Name of the claim. Leave the namespace blank. Select user.surname as the source attribute.

    • Email: This is required. Enter lastName as the Name of the claim. Leave the namespace blank. Select user.mail as the source attribute.

    Next, add a Group Claim:

    • In the Which groups field, choose select groups that should be granted access to Cyral, or select All Groups.
    • Set the Source Attribute to Group ID. If your Azure AD is connected to on-premises Active Directory using AAD Connect Sync 1.2.70.0 or above, you may opt please select sAMAccountName instead.
    • Click on Advanced options
    • Select the Customize the name of the group claim check box
    • Enter the Name element of the RequestedAttribute with friendly name Groups. The default is memberOf.
    • Click Save.
       

  5. Under the application's Users and Groups section, assign the users and groups who will be allowed to log into Cyral.

  6. After saving all of the above, go to the Single sign-on section of your app in Azure AD, and find the app's App Federation Metadata Url in the SAML Signing Certificate section of the window. Copy that URL for pasting into the Cyral UI.

In Cyral management console, complete the SAML integration

In this final step, you will supply the IdP Metadata URL you copied from Azure to the Cyral management console.

  1. Return to your SAML integration in the Cyral management console. Enter the IdP Metadata URL you retrieved from Azure.

  2. Click Save.

Your SAML Integration is complete.

Next step

See Set up SSO authentication for users for the steps to activate SSO authentication on each repository that will use it.