Forum Discussion

chris_thornton's avatar
chris_thornton
Icon for Contributor III rankContributor III
21 days ago

Restorepoint Dynamic Role and Domain Assignment via SAML SSO using Microsoft Azure

Currently in Restorepoint you have have users authenticate via SAML SSO using Microsoft Azure. Per the documentation, [Restorepoint] - How to set up SAML SSO - Microsoft Azure, users are able to authenticate but they cannot log into Restorepoint until an Administrator manually assigns a role to them. Does anybody know of a way to do this currently or is this going to need to be submitted to the Ideas Hub area?

  • OK, so after playing around for a bit I kind of figured out a hacky work around by adding a groups claim in Azure, screenshot below.

     

    From there, I updated the SAML config in Restorepoint to have the Groups Claim reflect the name groups that was returned. 

    Then, I had to go into the Users section and add in a mapping with the SAML Groups section for a Group within the Entra ID to a Role and Domain. The thing to keep in mind wen setting this up, you have to get the Name and Object ID exactly as it appears in Azure from the Users and Groups section inside the Enterprise Application. Inside that section, click on the group name that you want to map and it will open a new page. Grab the display name and Object ID and then put that on the Restorepoint side and map it to a Role and Domain. Should work for now until something can be updated for using an actual Role passed back instead, which would be preferred.

  • OK, so after playing around for a bit I kind of figured out a hacky work around by adding a groups claim in Azure, screenshot below.

     

    From there, I updated the SAML config in Restorepoint to have the Groups Claim reflect the name groups that was returned. 

    Then, I had to go into the Users section and add in a mapping with the SAML Groups section for a Group within the Entra ID to a Role and Domain. The thing to keep in mind wen setting this up, you have to get the Name and Object ID exactly as it appears in Azure from the Users and Groups section inside the Enterprise Application. Inside that section, click on the group name that you want to map and it will open a new page. Grab the display name and Object ID and then put that on the Restorepoint side and map it to a Role and Domain. Should work for now until something can be updated for using an actual Role passed back instead, which would be preferred.

    • mjensen's avatar
      mjensen
      Icon for Employee rankEmployee

      Your timing is excellent -- The 'workaround' you discovered is actually the intended way to do this, and the SAML Group mapping is brand-new functionality that was just added in last week's maintenance release.  As you noted, our published documentation hasn't "caught up" yet, but it will be updated shortly to describe the new options.

      Your suggestion of having the actual role be passed back via SAML has been discussed. I believe the decision to use an explicit Group-to-Role mapping was made because of the potential complexity of making SAML roles accurately match up to roles that are defined in Restorepoint, with all of the very granular permission settings that can be in those roles, and also to allow SAML users to be given multiple role assignments similar to locally authenticated accounts.  (A Restorepoint user can be given different roles in multiple domains. That same multi-role assignment can now be made for SAML groups as well.)

      Thanks for the detailed description and screenshow showing how to do this specifically in Azure!

      • chris_thornton's avatar
        chris_thornton
        Icon for Contributor III rankContributor III

        Thanks for following up, I had thought I missed it before so glad it was something new that was added in. I understand the complexity with roles in Restorepoint and trying to get that to work with SAML would be challenging. The approach taken is probably the best way to do it currently as there is both the Role and Domain that have to be mapped which make it complex from that standpoint. I will continue to use this route going forward and glad I was able to kind of stumble across it myself and get it working as intended.