Versions Compared

Old Version 8

changes.mady.by.user Steinar Line

Saved on

compared with

New Version Current

changes.mady.by.user Steinar Line

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Open the Azure AD manifest file

Log into the Azure admin portal.

...

Click on the application in the list and open the Manifest blade to see the JSON manifest. You may edit this directly in the browser, or download the manifest file to your computer, edit the file locally, and then re-upload it with the modifications. It's up to you.

...

Create application roles in a manifest JSON file

The below example shows how to set up two roles jira-software-users and jira-administrators in the JSON file.

...

The manifest appRoles section before modification:

Code Block
"appRoles": [
    {
        "allowedMemberTypes": [
            "User"
        ],
        "description": "msiam_access",
        "displayName": "msiam_access",
        "id": "UUID_DO_NOT_CHANGE",
        "isEnabled": true,
        "lang": null,
        "origin": "Application",
        "value": null
    }
],

And after adding a "jira-software-users" and "jira-administrators" application roles:

Code Block
"appRoles": [
    {
        "allowedMemberTypes": [
            "User"
        ],
        "description": "msiam_access",
        "displayName": "msiam_access",
        "id": "UUID_DO_NOT_CHANGE",
        "isEnabled": true,
        "lang": null,
        "origin": "Application",
        "value": null
    },  /* <-- ADD COMMA AND COPY THE TWO BLOCKS BELOW INTO YOUR OWN JSON FILE AND CREATE TWO UNIQUE GUID VALUES */
    {
        "allowedMemberTypes": [
            "User"
        ],
        "description": "jira-software-users",
        "displayName": "jira-software-users",
        "id": "<NEW GENERATED UUID>",
        "isEnabled": true,
        "lang": null,
        "value": "jira-software-users"
    },
    {
        "allowedMemberTypes": [
            "User"
        ],
        "description": "jira-administrators",
        "displayName": "jira-administrators",
        "id": "<NEW GENERATED UUID>",
        "isEnabled": true,
        "lang": null,
        "value": "jira-administrators"
    }
],

Also note the value field is the actual claim value AAD will include in the SAML Response, so it cannot be null or the application role will essentially be useless. You may, of course, add any number of appRoles as your desired permission model requires.

Mapping application roles to group memberships

When the manifest update is successful, the application roles should be defined. You must then map them to users and/or group memberships in Azure AD.

...

Azure AD should now be sending roles whenever users log in, though it sometimes takes a few minutes for these manifest and claims changes to propagate.

Setting up managed groups in Kantega SSO

Now enable managed groups in Kantega SSO if this isn't already the case, then run a new SAML login test. The SAML Response should now contain the application roles that map to the user's groups. The test page should recognize the Role claim and display this in the attribute list. Further down the page, there should be a notification about the unmanaged groups claim, which can be further configured from here.

...