Skip to main content
Anthony_E
Staff
Anthony_E
Staff
November 5, 2024

Technical Tip: How to configure the role attribute (claim) with Azure AD using App Roles or Group Claim Conditions

  • November 5, 2024
  • 0 replies
  • 143 views
Description This article describes how to configure the role attribute (claim) with Azure AD using App Roles or Group Claim Conditions.
Scope FortiDLP.
Solution

Overview:

Depending on the particular setup in Azure, it may not be feasible to use a predefined user attribute as a role in the Reveal Infrastructure. Some alternative mechanisms to use are either via 'App Role', or the 'Group Claim Conditions' methods.

 

App Roles:

  • Navigate to the Azure AD Portal.
  • In the Azure services section, select App Registration:

 

Anthony_E_16-1730797721521.png

 

  • Select All applications.
  • Search for the application’s name (e.g. Reveal UI) and select the application.

 

Anthony_E_17-1730797721522.png

 

  • Select App roles:

 

Anthony_E_18-1730797721524.png

 

  • Select Create App role:

 

Anthony_E_19-1730797721528.png

 

  • For the parameter values:
    • Display name: It is recommended this matches the 'value' attribute below.
    • Allowed member types: Users/Groups.
    • Value: This must correspond to a role configured in the Reveal Platform, for example, 'Built-in/Administrator'.  However, as Azure has restrictions on spaces in this field, it is not possible to use the pre-defined roles that contain spaces. Create a custom role in the Reveal Platform without spaces that have sufficient permissions for the requirements.
    • Description: (Optional) Choose a description that explains the role in use.
  • Select Apply

 

Anthony_E_20-1730797721535.png

 

  • Repeat the role creation process for each different role required.
  • Navigate back to the homepage and in the Azure services section, select Enterprise Application.

 

Anthony_E_21-1730797721536.png

 

  • Search for the application name (e.g. Reveal UI) and select the application:

 

Anthony_E_22-1730797721539.png

 

  • Select Users and groups.
  • Select Add user/group.
    • Users and groups: Select the users or groups to assign a specific role to
    • Select a role: Choose one of the roles that were created in the previous step e.g. an 'Administrator' Role.
    • Select Assign.
  • Select Single sign-on.

 

Anthony_E_23-1730797721543.png

 

  • In the Attributes & Claims section, select Edit.

 

Anthony_E_24-1730797721548.png

 

 

Anthony_E_25-1730797721549.png

 

Group Claim Conditions:

  • Navigate to the Azure AD Portal.
  • In the Azure services section, select Enterprise Application.

 

Anthony_E_26-1730797721552.png

 

  • Search for the application’s name (e.g. Reveal UI) and select the application:

 

Anthony_E_27-1730797721555.png

 

  • Select Single sign-on:

 

Anthony_E_28-1730797721559.png

 

  • In the Attributes & Claims section, select Edit.

 

Anthony_E_29-1730797721564.png

 

  • Select Add a new claim.
    • User type: Any
    • Scoped Groups: Select the groups to assign a specific role to. (Note: ensure to have also assigned these groups to this application within Users and groups).
    • Source: Attribute.
    • Value: This must correspond to a role configured in the Reveal Platform. Azure does not have restrictions on spaces in this field, so it is possible to use the pre-defined roles that contain spaces. 
      • (Optional) It is also possible to create a custom role in the Reveal Platform that has sufficient permissions for the requirements.
  •  
Anthony_E_30-1730797721566.png

 

Anthony_E_31-1730797721568.png

 

  • (Optional) At this stage, it is possible to configure additional claim conditions and assign a 'value' that corresponds to a role for each group that is permitted to access the Reveal Platform.
Terms & ConditionsAccessibility statement