Introduction
After you have configured SSO logins for Azure Active Directory, you can further configure Azure AD to manage permissions for your Canary Console users, such as their Flock access and whether they are Global Admins. This guide will walk you through the Azure changes you need to make to support IdP-managed permissions.
Change Summary
Inside your Azure app, you will add three attributes to each user to allow Azure to manage the permissions. The three attributes are: is_global_admin, managed_flocks and watched_flocks.
For more information on the IdP-managed permissions feature and the associated SAML attributes, see this article.
All the steps below take place in your Azure account. Login to Azure with a user who is able to modify the Canary Console application.
Steps
Step 1: Create the AD application extension properties
The commands in this section should be executed in a PowerShell instance connected to your Azure environment (such as the Azure Cloudshell).
Grab the object ID of the AD application (the enterprise app created when you initially set up SAML) with one of these commands:
PS> $ObjId = (Get-AzureAdApplication -Filter "DisplayName eq 'Canary Console'").ObjectId
# or
PS> $ObjId = (Get-AzureAdApplication -Filter "AppId eq '<Canary Console SAML enterprise app id>'").ObjectId
Create the three extension properties by running these commands.
PS> $globalAdminExtension = New-AzureADApplicationExtensionProperty -ObjectId $ObjId -Name "is_global_admin" -DataType "String" -TargetObjects "User"
PS> $watchedFlocksExtension = New-AzureADApplicationExtensionProperty -ObjectId $ObjId -Name "watched_flocks" -DataType "String" -TargetObjects "User"
PS> $managedFlocksExtension = New-AzureADApplicationExtensionProperty -ObjectId $ObjId -Name "managed_flocks" -DataType "String" -TargetObjects "User"
Run the following command to verify that the extension properties were created.
PS> Get-AzureADApplicationExtensionProperty -ObjectId $ObjId
The output should look like this:
ObjectId Name TargetObjects
-------- ---- -------------
abcdefg1-388d-4a64-95ec-1217d08dc684 extension_abcdefg7e9b346409049832ce6c138f3_managed_flocks {User}
abcdefg2-6b74-469f-b35c-35ca74022edf extension_abcdefg7e9b346409049832ce6c138f3_watched_flocks {User}
abcdefg3-ae08-4308-b39e-6becd43d2bf6 extension_abcdefg7e9b346409049832ce6c138f3_is_global_admin {User}
Step 2: Add the extension properties to the user
Get the user's object ID.
PS> $UserId = (Get-AzADUser -UserPrincipalName "user@example.com").Id
Set values for each of the extension properties on the user object. Azure doesn't support empty strings, but you can use a single space if you would like to leave managed_flocks or watched_flocks empty.
PS> Set-AzureADUserExtension -ObjectId $UserId -ExtensionName $globalAdminExtension.name -ExtensionValue "false"
PS> Set-AzureADUserExtension -ObjectId $UserId -ExtensionName $watchedFlocksExtension.name -ExtensionValue "flock:default,flock:abababababababababababababababab"
PS> Set-AzureADUserExtension -ObjectId $UserId -ExtensionName $managedFlocksExtension.name -ExtensionValue " "
You can run the following command to retrieve the current extension values on the user object.
PS> Get-AzureADUserExtension -ObjectId $UserId
Repeat this step for each user that is assigned to the Canary Console application.
Step 3: Add the new properties as claims to the Enterprise Application
Go to the Enterprise Application and open the SAML attributes & claims.
Click "Add new claim".
Add the name of the first parameter (is_global_admin), then select "Directory schema extension".
In the popup, select the Azure AD Application, then click "Select".
In the next popup, select the extension attribute (user.is_global_admin).
Finally, click "Save".
Repeat these steps for the other two attributes (watched_flocks and managed_flocks).
After adding all three attributes, the attributes and claims page should look like this:
The Azure App will now pass through the custom attributes to the Console, which will set the user's permissions based on these attributes.