Overview

When you integrate Bridgecrew Cloud with Azure AD you first enable SSO access and then set permissions either manually, per user, within Bridgecrew, or by mapping Azure AD groups to Bridgecrew permissions.
You can integrate Bridgecrew Cloud with Azure AD to enable single sign-on for your organization's users. In parallel, invite users and set their permissions from the User Management page. You can choose either one of these methods for assigning permissions (but not both):
(a) Map Azure AD groups to Bridgecrew permissions (roles and accounts)
(b) Set permissions per user from within Bridgecrew's User Management page.

📘

Note

This feature enables SSO access; in parallel, each user must be added to Bridgecrew Cloud, here.

How to Integrate

Part 1 - In Azure AD

1. In the Azure AD console, create an Enterprise Application.

2. Select Set up single sign on, then select SAML.

3. Edit the basic SAML configuration:

• Entity ID: urn:amazon:cognito:sp:us-west-2_Ij9abDXU8
• Reply URL: https://auth.bridgecrew.cloud/saml2/idpresponse

4. User Attributes & Claims
   a. Edit Unique User Identifier (Name ID)
   b. Change Source attribute to user.mail

b. Create new optional claim and configure as shown below:

Name: emailaddress
Namespace: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Source attribute: user.mail

c. For group mapping, create a Group Claim and configure as shown below:
http://schemas.xmlsoap.org/claims/Group

5. Download the metadata XML.

Part 2 - In Bridgecrew

1. From Integrations Catalog, under Single Sign-On Authentication, select ADFS/Azure AD.

2. Enter your allowed domain, then select Next.

3. Upload the metadata xml file and select Done.

4. you will either:

• Enable & Configure Group Role Mapping
  or
• Assign User Permissions Manually

A. Enable & Configure Group Role Mapping:

Each Azure AD group can be mapped to a Bridgecrew role and a list of permitted accounts.

Mapping Azure AD Groups

1. Enter the name of an Azure AD group. Use Add to add a row for each group you want to map.
2. Select a desired role (for instance, Member role as shown below) (see Roles for precise definitions).

3. Select one or more permitted accounts, and click Next.

📘

Note

If a user is a member of a group, the group permissions overrule the default SSO permissions for new users.
For example, if User A is a member of Group B, and Group B has different permissions from the default, then User A's permissions will be those defined for Group B, and not the default role and permissions defined for new SSO users.

4. Select the default role for new users.

5. Select which sources to make available to users by default, and select Done.
   You can either permit access to all existing and future sources, or select specific sources from the source list for users to have access to.

📘

Notes

1. You can use a single entry to associate multiple groups with a set of permissions (Role and permitted accounts). To do so, add the group names under Azure AD Group, separated by comma.
2. If you mistakenly enter the name of a group twice - once with lower and once with higher permissions - the higher level permissions is applied.
3. Only member of an Azure AD group are able to access Bridgcrew Cloud (and not nested groups).
4. Any permissions previously set manually are overridden by the Azure AD group settings.
5. At any time, you can disable Azure AD mapping and set permissions manually instead.

B. Assign User Permissions Manually

1. Under Settings, select User Management.
2. Select Edit for a user.

3. Set the user's role and permitted accounts.

4. Press Save Changes.

Retrieve Login URL

After integrating with ADFS and assigning permissions (either manually or by group mapping), you can fetch the login URL from the Integrations page.

You can provide this URL in the Azure AD configuration

📘

Sharing the Login URL

Bridgecrew is now integrated with ADFS.
Share the login URL with relevant users.