Skip to main content

Managing SSO users’ accessibility using User Groups

Introduction

The Virtana Platform (VP) simplifies user access through Single Sign-On (SSO) and supports automatic onboarding and offboarding of users in a multi-tenant environment. With this, the users can seamlessly access or detach from the specific tenant or platform without manual intervention, based entirely on their identity and group settings from the organization's identity provider (like Okta, Azure AD, etc.).

Note

Virtana Platform has currently validated this feature only with the Azure OIDC-based SSO provider.

Prerequisites

You must enable and configure the SSO for the domain that you use.

Auto-Onboarding

  • No need to send any invitation to the user to access the VP: Virtana Platform automatically creates a user profile based on the information received from your identity provider.

  • Tenant is identified automatically: If there are multiple tenants or organizations created in VP, the system knows which tenant user belongs to based on user’s login information.

  • Access and roles are automatically assigned: Based on the user’s SSO group membership in the identity provider (e.g., “Admin”, “Reader”), VP assigns the user to the appropriate user group in the platform, giving user the right access level—admin or reader.

    Example: If the user is part of the “CloudOps-Admins” group in SSO, the user will automatically be given admin-level access in the VP CloudOps tenant.

Auto-Offboarding

  • When a user is removed from an SSO group:

    • Virtana Platform automatically adjusts or revokes access.

    • If the user is removed from a specific SSO group which mapped to a specific tenant or organization in VP, the user will be removed from the corresponding tenant or organization in VP.

    • If the user no longer belongs to any valid SSO groups in the identity provider, the user will be removed from all the tenants or organizations in VP.

Note

Auto-offboarding is critical, and will lose the user’s entire access to VP. Since this is critical, this feature is based on feature flag. Please contact Virtana Support to get more understanding and enable this feature.

Auto-User group movement

When a user is removed from one SSO group to another SSO group, during next login, user’s user group will be updated depending on the configured user group’s mapping.

Example: If a user is currently part of the “CloudOps-Readers” user group in SSO, and then his/her role changed to admin and now he/she is a part of “CloudOps-Admin” user group, then the user will automatically be given admin-level access in the VP CloudOps tenant, provided there is SSO mapping for an admin user group in CloudOps tenant.

Execute the following steps to enable users’ SSO group-based auto-on/off-boarding or user group movement within the tenant:

Steps for Azure OIDC:

  1. Create an Azure OIDC application. Click here to know more.

  2. Configure Application Roles [ executed as part of SSO mapper].

    1. Navigate to the registered application.

    2. Select App-roles from the left menu.

    3. Click Create app role.

    4. Define each role with:

      1. Display name

      2. Allowed member types (Users/Groups)

      3. Value (unique identifier for the role)

      4. Description

    5. Enter the above values for each role and save changes.

  3. Assign the user to above above-created roles:

    1. Navigate to Enterprise applications.

    2. Go to the created application.

    3. Go to Manage > Users and groups.

    4. Click Add user/group.

    5. Select the users who need to be a part of a specific role.

    6. Select the role and save the changes.

In this section: