Microsoft Entra ID

Immuta can integrate with Microsoft Entra ID as an IAM over SAML 2.0. This page outlines how to register Immuta as an Azure Enterprise Application with Single Sign-On over SAML 2.0.

Create an Enterprise Application

Microsoft Azure subscription: Microsoft Azure requires a Premium subscription to create a non-gallery application, which is essential for this integration.

  1. In the Microsoft Azure portal, browse to Enterprise Applications.

  2. Click the New Application button and then select Create your own application.

  3. Name the application with the name of your choice, select Integrate any other application you don't find in the gallery (Non-gallery), and click Create.

  4. On the left menu, choose the Single sign-on menu item and then pick the SAML tile.

  5. In the first section (Basic SAML Configuration), click the Edit icon and fill in Identifier (Entity ID) field with the full URI of your Immuta app (e.g., https://immuta.my-comany.com).

  6. In the second section (User Attributes & Claims), specify the unique user identifier you want to use in Immuta. Common choices are the mail claim or the userprincipalname claim. You can also specify the user claims you want Azure to expose to Immuta. You will use the names of those claims to map them to Immuta user attributes when you create an IAM.

  7. In the third section (SAML Signing Certificate), click the Download link next to Certificate (Base64) and save the file on your hard drive:

  8. In the fourth section, copy the Login URL and save it for when you will create the IAM through the Immuta UI.

Now that you have an enterprise application in place, continue to create and configure an IAM in Immuta. You will need a few details from the Immuta UI to complete the configuration of the enterprise application.

Attribute matching for SCIM

Attribute matching allows you to determine how to uniquely identify a user in Microsoft Entra ID and match that user in Immuta at login and during provisioning. Immuta supports the following matching attributes in Microsoft Entra ID:

  • Users:

    • id

    • userName

    • email

    • displayName

    • emails[type eq "work"].value

  • Groups

    • id

    • displayName (See the limitation below for group names.)

Using any other attribute in Microsoft Entra ID as a matching attribute results in an error. See the Microsoft Entra ID documentation for details about attribute matching and how to configure it.

Create an IAM

  1. In Immuta, browse to App Settings, go to the Identity Managers section, and click Add IAM

  2. Assign a name to the new IAM. Immuta will automatically derive the ID of the IAM from the name you pick.

  3. Select SAML in the Identity Provider Type drop-down.

  4. Start configuring the new IAM:

    • Default Permissions: The default permission that should be assigned to a Microsoft Entra ID user in Immuta.

    • Issuer: This field needs to have the same value as the Identifier (Entity ID) of the enterprise application (e.g., https://immuta.my-comany.com).

    • Entry Point: Paste the Login URL that you obtained in the previous section.

    • User ID Attribute: This field is the attribute that will contain the username of the user logging in.

    • Signing Certificate: Upload the certificate file you have previously downloaded and converted into a PEM encoded certificate.

    • Decryption Private Key: This field is the optional key for decrypting attribute assertions.

    • Enable SCIM support for SAML: Opt to enable SCIM support. Validate that the usernames in your IAM match those in your data platform (Snowflake, Databricks, etc.). If they are incorrect in the IAM or the casing doesn't match, fix the data platform username in the identity provider before configuring SCIM in Immuta.

    • Profile Schema: Map attributes in SAML to automatically fill in a user's Immuta profile. Note: Fields that you specify in this schema will not be editable by users within Immuta.

    • Enable any optional settings:

      • Link SQL

      • Allow Identity Provider Initiated Single Sign On: After checking this option, set disableRequestedAuthnContext to true under Additional Config Parameters.

      • Sync groups from SAML to Immuta

      • Sync attributes from SAML to Immuta: After selecting this checkbox, map your Entra ID attributes to Immuta in the Attribute Schema section.

      • External Groups and Attributes Endpoint

    Before you can test the integration and save the new IAM, you will need to go back to the Microsoft Azure Portal and fill in the Reply URL.

  5. In the Single sign-on page of your enterprise application, edit the first section with the title Basic SAML Configuration.

  6. Fill in the Reply URL (Assertion Consumer Service URL) field with a value that adheres to the following format: ${IMMUTA_URL}/bim/iam/${IAM_ID}/user/authenticate/callback. For example, if the URL to your Immuta tenant is https://immuta.my-comany.com and the assigned IAM ID is MicrosoftEntraID, the value of the Reply URL field should be https://immuta.my-comany.com/bim/iam/MicrosoftEntraID/user/authenticate/callback. To save the changes, click Save. You can find the IAM ID that Immuta has assigned to the IAM in the form.

  7. You should now be able to test the IAM and save it. After clicking Test Connection and letting Immuta hit the enterprise application URL, you will need to verify that the authentication flow works before you can save and create the IAM. To do so, click Test User Login and follow the instructions.

  8. Save the changes in Immuta.

Microsoft Entra ID SCIM limitation

SCIM will skip updates and will not inform Immuta that an attribute should be removed from a user in the following scenarios, even if the attribute mapping has been deleted from the IAM configuration on the Immuta app settings page:

  • Attribute is set to empty (removed) in Microsoft Entra ID

  • Attribute is deleted in Microsoft Entra ID

In both of these scenarios, Azure doesn’t send Immuta a payload to remove the attribute, as it considers the action a redundant export. As a result, the attribute values that previously existed in Microsoft Entra ID will not get removed from the user in Immuta.

To remediate this limitation, take one of the following actions:

  • Change the attribute to a non-impacting value other than empty in Microsoft Entra ID.

  • Alternatively, remove the attribute mapping from the attribute schema section of the IAM configuration on the Immuta app settings page. Then, trigger an update for that user in Microsoft Entra ID by making a change to any value for that user. Microsoft Entra ID will send an update for that user to Immuta, and Immuta will remove the attribute from the user. Note that if that attribute mapping is ever re-added in Immuta on the app settings page, that attribute will be added to the user again.

See Known issues for provisioning in Microsoft Entra ID for more details about this limitation.

Limitation

Group names containing " are unsupported in the Microsoft Entra ID integration.

Last updated

Copyright © 2014-2024 Immuta Inc. All rights reserved.