ADFS On-Premises

Overview

You can integrate Bridgecrew Cloud with ADFS to enable single sign-on for your organization's users. In parallel, you must invite users from the User Management page. You can choose either one of these methods for assigning permissions (but not both):
(a) Map ADFS groups to Bridgecrew permissions (roles and accounts)
(b) Set permissions per user from within Bridgecrew's User Management page.

📘

Note

This features enables SSO access; in parallel, each user must be added to Bridgecrew Cloud, here.

Initial ADFS Setup

Configure Bridgecrew as a Relying Party Trust in ADFS

  1. Enter the ADFS Management tool - Go to Trust Relationships > Relying Party Trusts > Add relying party trusts and select Start.
  1. Select Enter data about the relying party manually and then Next.
  1. Enter bridgecrew as the relying party configuration and then select Next.
  1. On the Configure Certificate screen, select Next (do not browse or enter any values).
  1. Select Enable support for SAML 2.0 Web-SSO protocol, enter the URL shown below and select Next.
https://auth.bridgecrew.cloud/saml2/idpresponse
  1. Add Bridgecrew's Amazon Cognito user pool URN - see below - as the relying party trust identifier and select Next.
urn:amazon:cognito:sp:us-west-2_Ij9abDXU8
  1. Select an access control policy based on your organization's needs and then Next.
  1. Select Next and then Close.

Claim Issuance Policy

  1. Right-click on the Bridgecrew Relying Trust and select Edit Claim Issuance Policy.
  1. Select Next (do not make any changes).
  1. Configure a Rule as shown below and select Finish.
  1. Select Close.
  1. Add another rule, using the configuration shown below.
  1. To support ADFS group mapping, add another rule, with the configuration shown below.
  1. Select Apply.

Configure IIS Bindings in ADFS

  1. From the IIS Manager, select Bindings.
  1. Add HTTP and HTTPS bindings as shown below.

In Bridgecrew

Overview

When you integrate Bridgecrew Cloud with ADFS you first enable SSO access and then set permissions either manually, per user, within Bridgecrew, or by mapping ADFS groups to Bridgecrew permissions.

Setup SSO Access

  1. Under Integrations, select Identity Provider from SSO.
  2. Select ADD SSO and then ADFS.
  3. Enter the email domain.
  4. Upload the metadata XML file.

Next you will either:

Enable & Configure Group Role Mapping

Overview

Each ADFS group can be mapped to a Bridgecrew role and a list of permitted accounts.

Mapping ADFS Groups

  1. On the lower half of the ADFS integration page enter the name of an ADFS group. Use Add to add a row for each group you want to map.
  2. Select a Bridgecrew role (see Roles for precise definitions).
  3. Select one or more permitted accounts.

📘

Notes

  1. You can use a single entry to associate multiple groups with a set of permissions (Role and permitted accounts). To do so, add the group names under ADFS Group, separated by comma.
  2. If you mistakenly enter the name of a group twice - once with lower and once with higher permissions - the higher level permissions is applied.
  3. Only member of an ADFS group are able to access Bridgcrew Cloud (and not nested groups).
  4. Any permissions previously set manually are overridden by the ADFS group settings.
  5. At any time, you can disable ADFS mapping and set permissions manually instead.

Assign User Permissions Manually

  1. Under Settings, select User Management.
  2. Press Edit for a user.
  1. Set the user's role and permitted accounts.
  1. Press Save Changes.

Retrieve Login URL

After integrating with ADFS and assigning permissions (either manually or by group mapping), you can fetch the login URL.

1.. Select Show Details.
2 . Select Copy Login URL.

📘

Sharing the Login URL

Bridgecrew is now integrated with ADFS.
Share the login URL with relevant users.


Did this page help you?