How-to | Add local users from an Azure Active Directory (AAD)

You can add local users from SAML identity providers, such as Microsoft Azure Active Directory (AAD).

Note

DSS supports AAD as a SAMLv2 IDP.

To import local users from an Azure Active Directory (AAD), you’ll need to use the Azure Active Directory plugin.

Configuring single sign-on (SSO)

You can configure SSO so that your users don’t have to type their password when accessing DSS.

DSS supports the following SSO protocols:

• SAML v2 (recommended)

• OpenID Connect (OIDC)

• SPNEGO / Kerberos

SSO provides proof that the user performing a query is who they pretend to be. DSS validates this proof. To enforce security rules, DSS must also know who the user is and to which group(s) they belong.

Therefore, in SSO mode, DSS still needs to have a database of all users that are permitted to sign in, even if they don’t enter a password. This database can be one of the following types:

• Local user database, or

• LDAP (See Configuring LDAP authentication)

For SAML the following is needed:

• IdP Metadata (provided by SSO admin)

• Will likely need a callback url. For example: https://dss.mycompany.corp/dip/api/saml-callback

• SP Metadata (generate). If there’s no internal process, you can do this online. Will need at least entityID (from IdP Metadata) and Attribute Consume Service Endpoint (callback url). It is also not uncommon to get X.509 certs from the IdP Metadata.

• Login Attribute. Attribute in the assertion sent by IdP that contains the DSS login.

• Login Remapping Rules. Rules to map login attribute to user login. For example: first.last@company.com → first.last via ([^@]*)@mydomain.com -> $1

Note

For more information about SSO, visit Single Sign-On in the reference documentation.