SAML Protocol

Editing your IAM configuration

With the exception of the IAM ID (also called the display name), any of these settings can be changed after an IAM is configured. To edit IAM settings, click the dropdown arrow next to the IAM listed in the identity management section on the app settings page and then make your changes.

There are additional configuration options available for the SAML 2.0 protocol than are referenced in this guide, which only outlines the required settings. For details about the additional options, see the SAML protocol configuration options reference guide.

  1. Navigate to the Immuta App Settings page.

  2. Scroll to the Identity Management section and click Add IAM.

  3. Complete the Display Name field and select SAML from the Identity Provider Type dropdown.

  4. Take note of the ID and copy the SSO Callback URL to use as the ACS URL in your identity provider.

  5. Adjust Default Permissions granted to users by selecting from the list in this dropdown menu.

  6. Complete the Entry Point field. This is the location of your single sign on application that will be redirected to from the Immuta login page.

  7. Upload your Signing Certificate. This is your identity provider's public signing certificate.

  8. Opt to Enable SCIM support for SAML. Validate that the usernames in your IAM match those in your data platform (Snowflake, Databricks, etc.). If they are incorrect in the IAM or the casing doesn't match, fix the data platform username in the identity provider before configuring SCIM in Immuta.

  9. In the Profile Schema section, map attributes in SAML to automatically fill in a user's Immuta profile. Note: Fields that you specify in this schema will not be editable by users within Immuta.

    If usernames in your data platform align with usernames in an external IAM and those accounts align with an IAM attribute, enter the IAM attribute in the field that corresponds to your data platform:

    1. User's Databricks Username

    2. User's Snowflake Username

    3. User's Trino Username

    4. User's Azure Synapse Analytics Username

    5. User's Redshift Username

    6. User's AWS User. After entering the IAM attribute in the User's AWS User field, click the Select AWS User Type from the dropdown and select one of the types below. This is used by the Amazon S3 Integration to map users in Immuta to the corresponding user type in AWS.

      • None (fallback to Immuta username): When selecting this option, the AWS username is assumed to be the same as the Immuta username.

      • AWS IAM role: Only a single Immuta user can be mapped to an IAM role. This restriction prohibits enforcing policies on AWS users who could assume that role. Therefore, if using role principals, create a new user in Immuta that represents the role so that the role then has the permissions applied specifically to it.

      • AWS Identity Center user IDs: You must use the numeric User ID value found in AWS IAM Identity Center, not the user's email address.

    7. User's PostgreSQL Username

  10. Click Test Connection and Test User Login.

  11. Save your configuration.

Last updated

Was this helpful?