Introduction

After you have configured SSO logins for Azure Active Directory, you can further configure Azure AD to manage permissions for your Canary Console users, such as their Flock access and whether they are Global Admins. This guide will walk you through the Azure changes you need to make to support IdP-managed permissions.

Entra supports conditional claims within your SAML app, which allows you to manage permissions based on a user's group affiliation.

The Canary Console expects three attributes: is_global_admin, managed_flocks and watched_flocks to dictate what permissions a user should land with on login.

For more information on the IdP-managed permissions feature and the associated SAML attributes, see this article.

Below, we'll cover how to assign these attributes based on groups:

Head over to the "Attributes & Claims" section of the app.

Select "Add new claim"

Complete the form with the claim details.

We'll use is_global_admin in this example, but note that all 3 claims need to be created and present.

We recommend setting all 3 claims to "-" for all users / an "all company" group. This creates an "implicit deny" which can be built on top of for explicit permissions.

1. Enter the claim name.
2. Select a user type if you'd like to restrict this access to a sub-type of users.
3. Select the Entra group you'd like this claim to apply to.
4. Select "Attribute" for the Source.
5. Enter your preferred Value. (is_global_admin supports True/False, the other claims support a CSV list of Flocks.)

is_global_admin - all_company_group - "False
is_global_admin - canary_admins_group - "True"
managed_flocks - all_company_group - "-"
watched_flocks - all_company_group - "-"

Once the claims structure is established logins can be tested.

Users signing in will now be automatically provisioned permissions, even if their groups change later.

You're done! ;)