Skip to main content

Managing SSO users’ accessibility using User Groups

The Virtana Platform (VP) simplifies user access through Single Sign-On (SSO) and supports automatic onboarding and offboarding of users in a multi-tenant environment. With this, the users can seamlessly access or detach from the specific tenant or platform without manual intervention, based entirely on their identity and group settings from the organization's identity provider, such as Okta or Azure AD.

Note

Virtana Platform has currently validated this feature only with the Azure OIDC-based SSO provider.

You must enable and configure the SSO for the domain that you use.

Auto-Onboarding

  • No need to send any invitation to the user to access the VP: Virtana Platform automatically creates a user profile based on the information received from your identity provider.

  • Tenant is identified automatically: If there are multiple tenants or organizations created in VP, the system knows which tenant user belongs to based on the user’s login information.

  • Access and roles are automatically assigned: Based on the user’s SSO group membership in the identity provider (e.g., Admin, Reader), VP assigns the user to the appropriate user group in the platform, giving the user the right access level—admin or reader.

    For example, if the user is part of the CloudOps-Admins group in SSO, the user will automatically be given admin-level access in the VP CloudOps tenant.

Auto-Offboarding

When a user is removed from an SSO group, Virtana Platform automatically updates their access.

If the user is removed from an SSO group that is mapped to a specific tenant or organization in Virtana Platform, their access to that tenant or organization is removed.

If the user no longer belongs to any valid SSO groups in the identity provider, the system removes the user from all tenants and organizations in Virtana Platform.

Note

Auto-offboarding is critical, and you will lose the user’s entire access to VP. Since this is critical, this feature is based on a feature flag. Please contact Virtana Support to get more understanding and enable this feature.

Auto-User group movement

When a user is removed from one SSO group to another SSO group, during the next login, the user’s user group will be updated depending on the configured user group’s mapping.

For example, if a user is currently part of the CloudOps-Readers user group in SSO, and then his/her role changes to admin, and now he/she is a part of the CloudOps-Admin user group, then the user will automatically be given admin-level access in the VP CloudOps tenant, provided there is SSO mapping for an admin user group in the CloudOps tenant.

Execute the following steps to enable users’ SSO group-based auto-on/off-boarding or user group movement within the tenant:

  1. Create an Azure OIDC application. Click here to know more.

  2. Configure Application Roles [executed as part of SSO mapper].

    1. Navigate to the registered application.

    2. Select App-roles from the left menu.

    3. Click Create app role.

    4. Each role should be defined by its display name, the allowed member types (users or groups), its unique value identifier, and a description.

    5. Enter the values for each role and save changes.

  3. Assign the user to the above-created roles:

    1. Navigate to Enterprise applications.

    2. Go to the created application.

    3. Go to Manage > Users and groups.

    4. Click Add user/group.

    5. Select the users who need to be a part of a specific role.

    6. Select the role and save the changes.

In this section: