Audience: Application Admins
Content Summary: Immuta is compatible with enterprise SAML 2.0 identity providers. Immuta can leverage your SAML provider for authentication and authorizations or use SAML 2.0 only for authentication while maintaining all user attributes (authorizations and groups) within Immuta's built-in identity manager.
This page outlines configuration options and examples for SAML identity managers, including Okta and Azure Active Directory. Implementation will vary based on your SAML configuration. For detailed assistance, please contact your Immuta support professional.
SAML IAMs are configured in the Identity and Access Management section of the Application Settings page, but if you have contacted the Immuta Support team and they have instructed you to add advanced configuration options, those options can be managed in the Advanced Configuration section of the Application Settings page:
id(string): The id of the IAM. This value will reference the IAM in the callback URL with the format:
displayName(string): The name of the IAM that will show in the Immuta UI.
type(string): The IAM type that is being configured. This value must be
samlfor SAML IAMs.
clientOptions(object): Options for the SAML client:
issuer(string): Your identity provider issuer; this should match the configured certificate.
entryPoint(string): SSO location for redirecting from the Immuta login page.
certPath(string): Identity provider public certificate location.
protocol(string): Set this to
https://if external TLS is enabled for Immuta or
host(string): Set this to the external hostname for Immuta.
decryptionPvkPath(string): Private key location for decrypting attribute assertions (optional).
supportedActions(array): See Supported Actions for details.
schema(object): The mapping schema for profile information and authorizations. The yaml keys are the values that you wish to map to, and the yaml values are the keys of the SAML attributes that you wish to derive the values from.
profile(object): The mapping schema for profile information. The yaml keys are the values that you wish to map to, and the yaml values are the SAML attributes that you wish to derive the value from.
permissions(string): The SAML attribute that contains a list of roles or groups to derive Immuta permissions from.
authorizations(object): The mapping schema for authorizations. The yaml keys are the values that you wish to map to, and the yaml values are the SAML attributes that you wish to derive the value from.
authorizationPrefix(string): Prefix value used to pick up Immuta authorizations from SAML attributes. Attributes with this prefix will be recognized by Immuta as authorizations. For example, a SAML attribute named
immutaAuth.locationswill be recognized in Immuta as an authorization called
arrayDelimiter(string): Used to split multi-value attributes. For example, a SAML attribute named
immutaAuth.locationswith the value
'MD, OH'will contain the array value
['MD', 'OH']in Immuta.
permissions(object): The mapping schema for permissions. The yaml keys are the values from the SAML attribute assigned in the
schema.permissionsconfiguration and the yaml values are a list of Immuta Permissions to be assigned. If a user has multiple roles or groups assigned, permissions will be merged.
defaultPermissions(array(string)): Default permissions to be given to users when they first log in. See Permissions for more information.
The SAML identity provider will derive groups using a SAML attribute named
plugins: samlIAM: id: saml displayName: SAML 2.0 type: saml plugin: saml saml: true clientOptions: issuer: 'http://www.exampleprovider.fake/rdsf03ur2hd' entryPoint: 'https://example.okta.com/app/documentation_example/rdsf03ur2hd/sso/saml' certPath: /etc/immuta/security/saml.crt decryptionPvkPath: /etc/immuta/security/decrypt-key.pem schema: profile: name: 'name' email: 'email' hdfsUser: 'hdfsUser' permissions: 'groups' authorizations: exampleAuth: 'example' authorizationPrefix: 'immutaAuth.' arrayDelimeter: ',' supportedActions: ['syncGroups', 'syncAuthorizations'] permissions: immuta-admin: - ADMIN - AUDIT immuta-auditor: - AUDIT immuta-governor: - GOVERNANCE defaultPermissions: - 'CREATE_DATA_SOURCE' - 'CREATE_PROJECT'
Identity Provider Guides
Integrating with your organization's Okta directory requires creating a custom application mapping in the Okta administrator dashboard.
- In the Okta administrator dashboard, navigate to Applications.
- Select Add Application.
- Select Create New App.
- For Platform, select Web.
- For Sign on method, select SAML 2.0.
- Click Create.
- Complete general settings.
- Fill out a custom app name, or just save it as Immuta.
- Complete general SAML configuration settings.
- For Single sign on URL, enter
<your immuta base url>/bim/iam/<your iam id>/user/authenticate/callback. You can check the box that says Use this for Recipient URL and Destination URL.
- For Enter Audience URI, enter a unique audience name that does not yet exist in your organization's Okta.
RelayStatecan be left blank.
- For Name ID format, select
- For Application username, select the profile attribute that denotes the Okta user's email address. Typically, this is simply email.
- For Single sign on URL, enter
Complete SAML Attribute Statements.
- Be sure to build these in accordance with how you build your schema in the Immuta configuration.
- Note that for authorizations, values not configured in the schema can still be picked up as
authorizations in Immuta if they include the configured
authorizationPrefix. This prefix defaults to
- Multi-value attributes can be mapped in as arrays (with the Okta preview feature), or delimited strings. The
arrayDelimiteris a comma.
- Groups can only be mapped in as an array of group names, aptly-named
groups. The mapping in the screenshot above sends all of an Okta users' groups to Immuta.
Save the Application, and add desired users / groups using the Assignments tab.
Okta Sample Configuration
plugins: oktaIAM: id: okta displayName: Okta type: saml plugin: saml saml: true supportedActions: ['syncGroups', 'syncAuthorizations'] clientOptions: issuer: 'http://www.okta.com/e5643t3534534' entryPoint: 'https://example.okta.com/app/documentation_example/e5643t3534534/sso/saml' certPath: /etc/immuta/security/okta.crt decryptionPvkPath: /etc/immuta/security/okta-decrypt.pem schema: profile: name: 'name' email: 'email' hdfsUser: 'hdfsUser' authorizations: authColor: 'authColor' authorizationPrefix: 'immutaAuth.' arrayDelimeter: ',' defaultPermissions: - 'CREATE_DATA_SOURCE' - 'CREATE_PROJECT'
Azure Active Directory
Immuta can integrate with Azure Active Directory as an IAM over SAML 2.0. You can find out more in the Azure Active Directory integration guide.