-
Notifications
You must be signed in to change notification settings - Fork 358
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Change structure to isolate idp setup
- Loading branch information
1 parent
d145614
commit 1c30b7b
Showing
4 changed files
with
124 additions
and
105 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
45 changes: 45 additions & 0 deletions
45
pages/learn/accounts/idp-setup/google-workspace-saml-setup.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
--- | ||
title: Configure a SAML app for Google Workspace | ||
excerpt: prepare your Google Workspace oranization to integrate with balenaCloud | ||
--- | ||
|
||
# Google Workspace SAML | ||
|
||
This guide will walk you through the steps to create a SAML Identity Provider (IdP) using Google Workspace to integrate with balenaCloud. | ||
|
||
##### Prerequisites | ||
|
||
Access to a Google Workspace admin account capable of creating apps and users for the organization. | ||
|
||
##### Steps to Create a SAML Identity Provider in Google Workspace | ||
|
||
1. Access the Google Admin Console | ||
* Go to [Google Admin Console Apps](https://admin.google.com/ac/apps/unified) using your Google Workspace admin account. | ||
2. Create a New Custom SAML App | ||
* Click on Add app. | ||
* Select Add custom SAML app. | ||
3. Configure the SAML App | ||
* Name Your App: Provide a meaningful name for the SAML app (e.g., “balenaCloud SSO”). | ||
* Download the Metadata: After naming your app, download the metadata file provided by Google. This file will be used later to set up the IdP in balenaCloud. | ||
4. Set Up Service Provider Details | ||
* ACS URL: Fill in the Assertion Consumer Service (ACS) URL with: | ||
``` | ||
https://dashboard.balena-cloud.com/saml/acme/callback | ||
``` | ||
Replace `acme` with the name you will give your IdP in balenaCloud. | ||
|
||
* Entity ID: Fill in the Entity ID with: | ||
``` | ||
https://dashboard.balena-cloud.com/saml/acme | ||
``` | ||
Again, replace `acme` with the name you will give your IdP. | ||
5. Skip Attribute Mapping | ||
* Ignore any mapping configuration. Currently, balenaCloud does not make use of these mappings. | ||
6. Enable the SAML App | ||
* In the Service Status section, ensure the new SAML app is set to `ON` for everyone or specific groups. This will those users in your organization access to login to balenaCloud via SSO. | ||
|
||
##### Final Steps | ||
Finally, you should a custom SAML app in your Google Workspace that looks similar to this: | ||
<img alt="Download XML" src="/img/common/saml/google-workspace-saml-app-final.png" width="100%"> | ||
|
||
Congratulations! You should now have your Identity Provider (IdP) setup, head over to the balenaCloud dashboard and follow the [instructions to link an IdP](/learn/accounts/enterprise-sso/#link-a-saml-identity-provider) by uploading the XML metadata file. Your team can then start using the Single Sign-On (SSO) functionality, allowing them to securely and seamlessly access the platform using their enterprise credentials. |
63 changes: 63 additions & 0 deletions
63
pages/learn/accounts/idp-setup/microsoft-entra-saml-setup.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
--- | ||
title: Configure a SAML app for Microsoft Entra ID | ||
excerpt: prepare your Microsoft Entra ID oranization to integrate with balenaCloud | ||
--- | ||
|
||
# Microsoft Entra ID (formerly Azure Active Directory) | ||
|
||
This section provides step-by-step instructions for setting up SAML 2.0 with Microsoft Entra ID (formerly Azure AD) for use with balenaCloud. Follow the steps below and refer to the accompanying screenshots for visual guidance. | ||
|
||
#### Create a New Enterprise Application | ||
1. Go to: [Microsoft Entra ID Home](https://entra.microsoft.com/#home). | ||
2. On the left hand menu expand `Identity > Applications > Enterprise Applications`. | ||
4. Select Enterprise Applications. | ||
5. Click the `+ New application` button. | ||
<img alt="Create new enterprise app in Microsoft entra ID" src="/img/common/saml/microsoft-entra-id/create-new-app.png" width="100%"> | ||
|
||
#### Create Your Own Application | ||
|
||
1. You should now be presented with a gallery of enterprise apps. Click the `+ Create your own application button` at the top left. | ||
2. In the right-hand form that opens, give your app a name. | ||
3. Leave the default option selected. | ||
4. Click `Create`. | ||
<img alt="Create a custom app" src="/img/common/saml/microsoft-entra-id/create-your-own-application.png" width="100%"> | ||
|
||
#### Configure Single Sign-On | ||
|
||
1. In the left menu, click Single sign-on. | ||
2. Select SAML. | ||
<img alt="Configure SSO" src="/img/common/saml/microsoft-entra-id/configure-single-sign-on.png" width="100%"> | ||
|
||
#### Basic SAML Configuration | ||
|
||
1. In the Basic SAML Configuration section, click `Edit`. | ||
2. Paste your Entity ID and Sign-on URL. To obtain this, you must first decide on a “SSO Identifier” for your enterprise, e.g. `acme`. | ||
* Identifier: https://api.balena-cloud.com/auth/saml/`< sso-identifier >` | ||
* Reply URL: https://api.balena-cloud.com/auth/saml/`< sso-identifier >`/callback | ||
3. Click Save. | ||
<!-- TODO: update screenshots with production URLS --> | ||
<img alt="Configure SSO" src="/img/common/saml/microsoft-entra-id/basic-saml-configuration.png" width="100%"> | ||
|
||
#### Set Unique User Identifier | ||
|
||
1. On the “Set up Single Sign-On with SAML” page, click `Edit` on the Attributes & Claims section. | ||
2. On the Unique User Identifier row, click it. | ||
3. Change the Source attribute field to `user.mail`. | ||
4. Click Save. | ||
<img alt="Edit Unique User Identifier row" src="/img/common/saml/microsoft-entra-id/unique-user-identifier.png" width="100%"> | ||
<img alt="Change source attribute" src="/img/common/saml/microsoft-entra-id/change-source-attribute.png" width="100%"> | ||
|
||
#### Assign Users and Groups | ||
|
||
1. Go to Users & Groups in the Manage section of the SAML app. | ||
2. Add the users or groups you want to assign access to the SAML app. | ||
3. Click Assign at the bottom left. | ||
<img alt="Assign Users or Groups" src="/img/common/saml/microsoft-entra-id/assign-users-and-groups.png" width="100%"> | ||
|
||
#### Download Federation Metadata XML | ||
|
||
1. On your SAML-based Sign-on app page, look for the Download link for Federation Metadata XML. | ||
2. Download this XML file to use later in [setting up your SAML IdP in balenaCloud](#link-a-saml-identity-provider). | ||
<img alt="Download XML" src="/img/common/saml/microsoft-entra-id/download-metadata-xml.png" width="100%"> | ||
|
||
Congratulations! You should now have your Identity Provider (IdP) setup, head over to the balenaCloud dashboard and follow the [instructions to link an IdP](/learn/accounts/enterprise-sso/#link-a-saml-identity-provider) by uploading the XML metadata file. Your team can then start using the Single Sign-On (SSO) functionality, allowing them to securely and seamlessly access the platform using their enterprise credentials. |