ADFS On-Premises
Overview
You can integrate Bridgecrew Cloud with ADFS to enable single sign-on for your organization's users. In parallel, you must invite users from the User Management page. You can choose either one of these methods for assigning permissions (but not both):
(a) Map ADFS groups to Bridgecrew permissions (roles and accounts)
(b) Set permissions per user from within Bridgecrew's User Management page.
Note
This features enables SSO access; in parallel, each user must be added to Bridgecrew Cloud, here.
How to Integrate
Part 1 - In ADFS
Initial ADFS Setup
Configure Bridgecrew as a Relying Party Trust in ADFS
- Enter the ADFS Management tool - Go to Trust Relationships > Relying Party Trusts > Add relying party trusts and select Start.
- Select Enter data about the relying party manually and then Next.
- Enter bridgecrew as the relying party configuration and then select Next.
- On the Configure Certificate screen, select Next (do not browse or enter any values).
- Select Enable support for SAML 2.0 Web-SSO protocol, enter the URL shown below and select Next.
https://auth.bridgecrew.cloud/saml2/idpresponse
- Add Bridgecrew's Amazon Cognito user pool URN - see below - as the relying party trust identifier and select Next.
urn:amazon:cognito:sp:us-west-2_Ij9abDXU8
- Select an access control policy based on your organization's needs and then Next.
- Select Next and then Close.
Claim Issuance Policy
- Right-click on the Bridgecrew Relying Trust and select Edit Claim Issuance Policy.
- Select Next (do not make any changes).
- Configure a Rule as shown below and select Finish.
- Select Close.
- Add another rule, using the configuration shown below.
- To support ADFS group mapping, add another rule, with the configuration shown below.
- Select Apply.
Configure IIS Bindings in ADFS
- From the IIS Manager, select Bindings.
- Add HTTP and HTTPS bindings as shown below.
Part 2 - In Bridgecrew
- From Integrations Catalog, under Single Sign-On Authentication, select ADFS/Azure AD.
- Enter the email domain.
- Upload the metadata XML file.
- Next you will either:
A. Mapping ADFS Groups
- Enter the name of an Azure AD group. Use Add to add a row for each group you want to map.
- Select a Member role (see Roles for precise definitions).
- Select one or more permitted accounts.
Note
If a user is a member of a group, the group permissions overrule the default SSO permissions for new users.
For example, if User A is a member of Group B, and Group B has different permissions from the default, then User A's permissions will be those defined for Group B, and not the default role and permissions defined for new SSO users.
- Select the default role for new users.
- Select which sources to make available to users by default, and select Done.
You can either permit access to all existing and future sources, or select specific sources from the source list for users to have access to.
Notes
- You can use a single entry to associate multiple groups with a set of permissions (Role and permitted accounts). To do so, add the group names under ADFS Group, separated by comma.
- If you mistakenly enter the name of a group twice - once with lower and once with higher permissions - the higher level permissions is applied.
- Only member of an ADFS group are able to access Bridgcrew Cloud (and not nested groups).
- Any permissions previously set manually are overridden by the ADFS group settings.
- At any time, you can disable ADFS mapping and set permissions manually instead.
B. Assign User Permissions Manually
- Under Settings, select User Management.
- Select Edit for a user.
- Set the user's role and permitted accounts.
- Select Save Changes.
Retrieve Login URL
After integrating with ADFS and assigning permissions (either manually or by group mapping), you can fetch the login URL.
1.. Select Show Details.
2 . Select Copy Login URL.
Sharing the Login URL
Bridgecrew is now integrated with ADFS.
Share the login URL with relevant users.
Updated about 1 year ago